iDharma is a complete AI platform and marketplace where businesses discover AI tools, hire verified AI experts, explore AI models, attend AI events, access learning resources, and deploy AI solutions — all in one place.

What can I do on iDharma?

On iDharma you can browse and buy AI tools, discover and deploy AI models, hire verified AI consultants and experts, find AI business solutions, register for AI webinars and events, learn from the AI Learning Hub, and sell your own AI tools models or services on the marketplace.

How do I hire an AI expert on iDharma?

You can hire an AI expert on iDharma by posting a project and receiving proposals from verified experts, or by browsing the expert directory and engaging directly with consultants whose profile matches your project requirements.

Can I sell AI tools or models on iDharma?

Yes. iDharma allows AI builders and experts to list and sell AI tools, models, services, and events on the marketplace — reaching the businesses and professionals actively searching for AI solutions.

What AI events does iDharma offer?

iDharma hosts AI webinars, workshops, seminars, conferences, and corporate training programs — listed by practitioners active in the field and covering every major AI domain.

- Security & Compliance

Summary

iDharma encrypts data in transit with TLS 1.3 and at rest with AES-256. Verification documents have separate encryption keys. Access is role-based with two-factor authentication for admin accounts, and every action is audit-logged for 12 months. Payments run through Stripe Connect — we never receive raw card data. A SOC 2 Type 1 audit is in progress (target Q3 2026), and we maintain a published GDPR and CCPA baseline. Security incidents are investigated within 24 hours and affected users notified within 72 hours per GDPR. Report vulnerabilities to connect@idharma.us.

01 Our Security Commitment

Security is foundational to iDharma. As a marketplace that handles identity verification, confidential project work, and payments, we treat the protection of your data as a core responsibility — not an afterthought. The platform is built on the principles of least-privilege access, defense in depth, and a documented incident response process.

Where a control or certification is not yet in place, we state the honest status and, where relevant, a public target date. Accuracy matters more than marketing.

02 Infrastructure & Hosting

iDharma is built on a Laravel + MySQL + Stripe Connect stack hosted in the United States. The mobile application is built with React Native / Expo. All client-server communication is over HTTPS with TLS 1.3.

Web

Laravel application, served over HTTPS · TLS 1.3.

Database

MySQL 8, hosted in the us-east region (USA).

Mobile

React Native / Expo application.

Transport: HTTPS with TLS 1.3; HSTS enforced. Older protocols are disabled at the load balancer.
API authentication: Laravel Sanctum bearer tokens — scoped and revocable.
Realtime: messaging delivered via Laravel Reverb / Pusher.
Region: application and database hosted in the United States.

03 Data Encryption

iDharma applies layered cryptography across transport, storage, secrets, and credentials. Algorithms are chosen to meet current NIST recommendations; weak protocols are disabled.

In transit — TLS 1.3 for all HTTP traffic, with HSTS enforced and older protocols disabled.
At rest (general) — AES-256 across the database, file storage, and backups.
Verification documents — government IDs and proof-of-address are stored with AES-256 and a separate, isolated key envelope; access is logged per document.
Secrets and API keys — held in a vendor-managed key management service (e.g. AWS Secrets Manager); never stored in source code or client apps.
Passwords — hashed with bcrypt at work factor 12 (Laravel default); never reversible.

04 Access Controls

Role-based access control (RBAC) — distinct Admin, Reviewer, Support, and User roles.
Two-factor authentication (2FA) required for all admin accounts, via TOTP authenticator apps.
Single sign-on (SSO) via Google Workspace for the internal team.
Least-privilege principle — internal access is reviewed quarterly and revoked when no longer required.
Production database access restricted to two named engineers, and audit-logged.
Session timeout — 30 minutes idle, 24 hours absolute.

05 Payments Security

All marketplace payments and escrow are handled through Stripe Connect, a PCI-DSS Level 1 certified provider. iDharma never receives or stores raw card data — cardholder information is processed entirely within Stripe's environment.

Stripe also powers identity verification and KYC checks. Because Stripe Connect handles all cardholder data, PCI-DSS does not apply directly to iDharma's own systems.

06 Compliance & Standards

Where a certification is not yet held, the honest status and a public target date are listed below. We do not claim certifications we have not earned.

SOC 2 Type 1 — audit in progress, targeting Q3 2026.
SOC 2 Type 2 — not yet started, targeting Q4 2027.
GDPR — compliant, with a published baseline; maintained continuously.
CCPA — compliant, with a published baseline; maintained continuously.
HIPAA — not currently in scope; would be required if a Healthcare AI Marketplace launches (anticipated 2027 with that vertical).
ISO 27001 — not yet started; working toward certification by 2028.
PCI-DSS — not applicable directly. Stripe Connect handles cardholder data; iDharma never receives raw card data.

iDharma is not yet SOC 2 or ISO 27001 certified. The dates above are public targets, not guarantees. Current attestations available on request are limited to our published GDPR and CCPA baselines.

07 Third-Party Subprocessors

Every vendor that may process customer data holds an independent attestation. This list supports enterprise procurement reviews.

Stripe — payments, KYC, and identity verification. PCI-DSS Level 1, SOC 1/2/3 Type 2, ISO 27001.
DocuSign — e-signatures for NDAs and contracts. SOC 1/2 Type 2, ISO 27001, GDPR-aligned.
Pusher / Laravel Reverb — real-time messaging. SOC 2 Type 2 (Pusher).
Zoom — video meetings. SOC 2 Type 2, ISO 27001.
Google (OAuth + Workspace) — authentication and internal collaboration. ISO 27001 / 27017 / 27018, SOC 2 Type 2.
Microsoft (Graph + Azure auth) — authentication. ISO 27001, SOC 2 Type 2.
Cloud hosting provider — application and database hosting. SOC 2 Type 2, ISO 27001.
Cloudinary — media storage. SOC 2 Type 2.
Email service provider — transactional and marketing email. SOC 2 Type 2.

A full subprocessor list with addresses is available in the Data Processing Agreement.

08 Monitoring & Incident Response

Audit logging and monitoring

Every write to user-data tables logs the timestamp, actor, action, before/after state, IP, and user-agent.
Logs are retained 12 months in an encrypted, append-only store — longer if required for an active security investigation.
Real-time alerting on failed-login spikes, privilege escalation attempts, unusual data export patterns, payment anomalies, and sanctioned-country access attempts.
Quarterly log review by the security lead.
Customer-facing audit logs are available on request for SOC 2 in-scope activities.

Incident response

Detection & triage · within 4 hours

24/7 security alerting via a paging tool; incidents are triaged within 4 hours of detection.
Investigation & notification · 24–72 hours

Initial investigation within 24 hours; affected users notified within 72 hours per GDPR Article 33.
Root cause analysis · within 14 days

A post-incident root cause analysis is published within 14 days for material incidents, and a public summary is posted when an incident affects users.

iDharma also runs an annual incident response tabletop exercise to keep the process tested and current.

09 Vulnerability Disclosure

iDharma operates a responsible disclosure program. Report vulnerabilities to connect@idharma.us. We commit to:

Acknowledge within 48 hours of receipt.
Triage within 5 business days, with a severity classification.
Patch and notify the researcher within a mutually agreed timeline.
Credit researchers — with consent — on our Security Updates page.
Take no legal action against good-faith research.

We follow a 30-day window before public disclosure. The full policy is published at /vulnerability-disclosure.

10 Business Continuity & Disaster Recovery

Daily encrypted backups of the production database, retained 35 days.
Weekly backups retained 12 months.
Backups are stored in a different geographic region from production.
A documented restore runbook is maintained, with a quarterly restore drill.
Recovery point objective (RPO): 24 hours.
Recovery time objective (RTO): 8 hours.

11 Your Role in Security

Security is a shared responsibility. You can help protect your account and the platform by:

Using a strong, unique password and enabling two-factor authentication where available.
Keeping your login credentials confidential and never sharing your account.
Reporting any unauthorized access or suspicious activity to connect@idharma.us immediately.
Keeping confidential project material within the platform and handling it per your signed NDA.
Reporting any suspected security vulnerability to connect@idharma.us.

12 Contact

For security reports, compliance documentation, or formal questionnaire responses, please reach the right team below.

Security reports connect@idharma.us

General questions connect@idharma.us

Mailing address iDharma LLC
Indiana, United States