Your idea is treated like the IP it is — encrypted, scoped, never resold.

Encrypted at rest with AES-256. Encrypted in transit with TLS 1.3. Hosted in India (Mumbai). Access restricted to named operators on the Maitro team. Conflict-of-interest scan run against every prior engagement before review. Zero advertising trackers, zero data brokers, zero data resale. SOC 2 Type II planned for Q2 2027.

Encryption

• At rest: AES-256, application-layer envelope encryption, keys rotated every 90 days.
• In transit: TLS 1.3 only · HTTP/2 with HSTS preload.
• Backups: encrypted at rest in a separate region within India.

Access control

• SSH-only infrastructure access via hardware-key MFA.
• Application-level RBAC with named operator roles · least-privilege by default.
• Production database access logged, alerted, reviewed monthly.
• No "admin god mode" — every operator action is attributed and audited.

Data residency

Primary residency is India (Mumbai region). We do not use US-region cloud services for applicant or member data because Indian senior-leader data should sit under Indian jurisdiction.

Sub-processors

• Postmark / AWS SES — transactional email delivery
• Cal.com — calendar booking for Discovery calls
• Vercel + Mumbai region — application hosting (Phase 1)
• Razorpay — payment processing for paid tiers
• Cloudflare — CDN + DDoS protection (transit only, no decryption)

The conflict-of-interest scan

Before any application is reviewed, we run your venture brief against every active and historical Maitro engagement. If we find a competitive collision, we either decline your application or recuse the relevant crew members and disclose the recusal in writing. Your application content never leaves the review pool until this scan is clean.

Vulnerability disclosure

If you've found a security issue, email [email protected]. We respond within 48 hours, credit responsible disclosure publicly (with consent), and will not pursue legal action against good-faith security research.

The 80-point Quality Gate (every Maitro venture)

Every venture Maitro ships — yours included — has to clear a written 80-point gate before it goes public. Mandatory minimum: ≥ 75/80, with hard floors on Security (≥ 8/10), Build (≥ 9/10), and Compliance (≥ 8/10). The full gate runs automatically on every deploy via our Prahari audit pipeline. The categories are:

1. 10

   Build & Type Safety

   Zero TypeScript errors at build time. Strict mode. No `any` escapes in production code paths.

2. 10

   Security Headers

   HSTS preload, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy on every response.

3. 10

   Auth on Protected Routes

   Every non-public route checks an authenticated session. RBAC where roles exist. Anti-bot on every form (Cloudflare Turnstile).

4. 8

   Error Contracts

   RFC 7807 problem-details on every API failure. Stable error codes. No raw stack traces leaked to clients.

5. 8

   Structured Logging

   Pino structured logs (or equivalent) across client + server. Request IDs propagated. PII redacted.

6. 8

   Observability

   Sentry instrumented on client + server with release tags. Error budget tracked. p95 latency monitored.

7. 8

   Uptime & SLA

   99.9% uptime SLA from launch + 30 days. Health endpoint, watchdog cron, paging on degradation.

8. 6

   Test Coverage

   Vitest unit coverage on critical paths. Playwright E2E on the golden flow. CI green before any deploy.

9. 6

   Privacy & Compliance

   DPDP-aligned data handling. India-resident storage. Privacy policy + Terms current. Consent + revocation paths working.

10. 6

    Disaster Recovery

    Quarterly DR drill scheduled and run. RTO/RPO documented. Encrypted backups in a separate India region.

Roadmap

• Q3 2026 — Internal SOC 2 readiness with Drata.
• Q4 2026 — External penetration test (CERT-In empanelled vendor).
• Q2 2027 — SOC 2 Type II audit window opens.
• Q4 2027 — ISO 27001:2022 certification target.