Security & Compliance

Security & Compliance at IMR Technologies

How we protect customer data and infrastructure today, and the independent certifications we are working toward.

Compliance and Certification are not the same thing

Compliance means we follow a standard or law and have implemented the corresponding controls internally. Certification means an accredited, independent auditor has formally verified those controls against the standard and issued a certificate. GDPR and DPDPA are laws — there is no official government "GDPR Certified" or "DPDPA Certified" credential to obtain. For those, we describe our posture as compliant or readiness in progress. For ISO 27001 and SOC 2, which are certifiable, we only use the word certified once an accredited body has actually issued that certificate — see our roadmap below for current status.

What we do today

These are operating practices in place across our platform and datacenter now — not certifications.

Information Security Management Program

A documented ISMS covering policy, risk management, asset inventory, and control ownership across our datacenter, cloud, and application environments.

DPDPA Readiness Framework

Consent and notice practices, data principal rights handling, breach notification procedures, and retention limits aligned to India’s Digital Personal Data Protection Act.

GDPR-Aligned Privacy Controls

Lawful-basis documentation, records of processing, data subject rights workflows, and processor agreements aligned to GDPR accountability principles.

Secure Datacenter Operations

Our Hyderabad private datacenter runs on a segmented network with monitored physical access, redundant power, and managed VMware infrastructure.

Role-Based Access Control (RBAC)

Least-privilege access across staff and customer-facing systems, with role assignment reviewed and logged.

Backup & Disaster Recovery Processes

Scheduled backups, snapshot-based recovery points, and documented disaster-recovery procedures for hosted and managed environments.

Incident Response Procedures

A defined process for identifying, containing, and communicating security incidents, including customer notification steps.

Security Monitoring & Logging

Centralized audit logging and event monitoring across the platform, with anomaly review for administrative and access activity.

Certification Roadmap

Our phased plan for pursuing formal, independently-audited certifications — starting with ISO 27001, the most relevant credential for a datacenter, cloud, SAP hosting, and managed services provider.

Phase 1 — Immediate

  • ISO/IEC 27001

    Information Security Management System — control mapping and evidence collection in progress

  • ISO 9001

    Quality Management System — structured service delivery processes

  • DPDPA

    Compliance program implementation (India)

  • GDPR

    Readiness program for accountability obligations

Phase 2 — As IMRTech Grows

  • SOC 2 Type I

    Trust Services Criteria — security, availability, confidentiality

  • ISO/IEC 27701

    Privacy Information Management System (ISO 27001 extension)

Phase 3 — Enterprise Scale

  • SOC 2 Type II

    Extended-period operating-effectiveness attestation

  • ISO 22301

    Business Continuity Management System

  • ISO/IEC 20000-1

    IT Service Management System

Need details for a vendor security review?

Reach out to our team for our current security questionnaire responses, data processing terms, and certification status.

Want this compliance tracking capability for your own company? Explore our Security & Compliance software