Trust at iDharma

Security at iDharma.

Built for enterprise. Verified, encrypted, auditable.

The architecture, controls, and certifications that protect your data.

Request Security Overview PDF Contact security team
Last reviewed: May 11, 2026 Operator: iDharma LLC (Indiana, USA) Page version: v2026.05.1
TLS 1.3
In transit
AES-256
At rest
72 hr
Breach notification (GDPR)
12 mo
Audit log retention
On this page
  1. 1. Summary (TL;DR)
  2. 2. Security architecture
  3. 3. Encryption
  4. 4. Access controls
  5. 5. Audit logging
  6. 6. Certifications & roadmap
  7. 7. Subprocessors
  8. 8. Incident response
  9. 9. Vulnerability disclosure
  10. 10. Business continuity
  11. 11. Contact & documentation
01 · Summary

TL;DR

iDharma encrypts data in transit with TLS 1.3 and at rest with AES-256. Verification documents have separate encryption keys. Access is role-based with two-factor authentication for admin accounts. Every action is audit-logged for 12 months. SOC 2 Type 1 audit in progress (target Q3 2026); Type 2 targets 2027. Third-party processors (Stripe, DocuSign, Zoom, Google, Microsoft) all hold SOC 2, PCI-DSS Level 1, or ISO 27001 certifications. Security incidents investigated within 24 hours; affected users notified within 72 hours per GDPR. Report vulnerabilities to [email protected].

02 · Architecture

Security Architecture Overview

iDharma is built on a Laravel + MySQL + Stripe Connect stack hosted in the United States. The mobile application is React Native / Expo. All client-server communication is over HTTPS with TLS 1.3. The platform follows least-privilege access principles, defense in depth, and a documented incident response process.

Web
Laravel 10
Database
MySQL 8
Payments
Stripe Connect
Mobile
React Native · Expo
Region
us-east (USA)
Transport
HTTPS · TLS 1.3
Auth API
Laravel Sanctum
Realtime
Reverb / Pusher
03 · Encryption

Encryption

iDharma applies layered cryptography across transport, storage, secrets and credentials. Algorithms are chosen to meet current NIST recommendations; weak protocols are disabled at the load balancer.

LayerStandardNotes
In transit TLS 1.3 All HTTP traffic. Older protocols disabled. HSTS enforced.
At rest (general) AES-256 Database, file storage, backups.
Verification documents AES-256 with separate key envelope Government IDs and proof-of-address stored with isolated encryption keys; access logged per-document.
Secrets / API keys AWS Secrets Manager or equivalent (vendor-managed KMS) Never in source code, never in client apps.
Passwords bcrypt (work factor 12) Per Laravel default; never reversible.
04 · Access

Access Controls

  • Role-based access control (RBAC) — Admin, Reviewer, Support, User.
  • Two-factor authentication (2FA) required for all admin accounts (TOTP via authenticator apps).
  • Single sign-on (SSO) via Google Workspace for internal team.
  • Least-privilege principle — internal access reviewed quarterly and revoked when no longer required.
  • Production database access restricted to two named engineers + audit-logged.
  • API authentication via Laravel Sanctum (bearer tokens, scoped, revocable).
  • Session timeout — 30 minutes idle, 24 hours absolute.
05 · Logging

Audit Logging and Monitoring

  • Every write to user-data tables logs: timestamp, actor (user ID or system), action, before/after state, IP, user-agent.
  • Logs retained 12 months in encrypted append-only store; longer if required for active security investigation.
  • Real-time alerting on: failed login spikes, privilege escalation attempts, unusual data export patterns, payment anomalies, sanctioned-country access attempts.
  • Quarterly log review by security lead.
  • Customer-facing audit logs available on request for SOC 2 in-scope activities.
06 · Certifications

Compliance Certifications and Roadmap

Where a certification is not yet held, the honest status and a public target date are listed below.

CertificationCurrent statusTarget
SOC 2 Type 1In progressQ3 2026
SOC 2 Type 2Not startedQ4 2027
GDPRCompliant — published baselineContinuous
CCPACompliant — published baselineContinuous
HIPAANot in scope (yet) — required if Healthcare AI Marketplace launches2027 (with vertical launch)
ISO 27001Not started2028
PCI-DSSNot applicable directly — Stripe Connect handles cardholder data; iDharma never receives raw card dataN/A
07 · Subprocessors

Third-Party Subprocessors and Their Certifications

Every vendor that may process customer data holds an independent attestation. This list is critical for enterprise procurement reviews.

VendorServiceCertifications
Stripe Payments, KYC, identity verification PCI-DSS Level 1, SOC 1/2/3 Type 2, ISO 27001
DocuSign E-signatures (NDAs, contracts) SOC 1/2 Type 2, ISO 27001, GDPR-aligned
Pusher / Laravel Reverb Real-time messaging SOC 2 Type 2 (Pusher)
Zoom Video meetings SOC 2 Type 2, ISO 27001
Google (OAuth + Workspace) Authentication + internal collaboration ISO 27001 / 27017 / 27018, SOC 2 Type 2
Microsoft (Graph + Azure auth) Authentication ISO 27001, SOC 2 Type 2
Cloud hosting provider Application + database hosting (provider name)SOC 2 Type 2, ISO 27001
Cloudinary Media storage (if used) SOC 2 Type 2
Mailchimp / Resend (current ESP) Transactional + marketing email SOC 2 Type 2

Full subprocessor list with addresses available in the Data Processing Agreement.

08 · Incidents

Incident Response

  • 24/7 security alerting via PagerDuty (or current paging tool).
  • Triage within 4 hours of detection.
  • Initial investigation within 24 hours.
  • Affected user notification within 72 hours per GDPR Article 33.
  • Public incident summary published at /security-and-compliance/incidents (when an incident affects users).
  • Post-incident root cause analysis published within 14 days for material incidents.
  • Annual incident response tabletop exercise.
09 · Disclosure

Vulnerability Disclosure

iDharma operates a responsible disclosure program. Report vulnerabilities to [email protected]. We commit to:

  • Acknowledge within 48 hours of receipt.
  • Triage within 5 business days, with severity classification.
  • Patch and notify researcher within a mutually agreed timeline.
  • Credit researchers (with consent) on our Security Updates page.
  • No legal action against good-faith research.

We follow a 30-day window before public disclosure. Full policy: /vulnerability-disclosure.

10 · Continuity

Business Continuity and Disaster Recovery

  • Daily encrypted backups of the production database; retained 35 days.
  • Weekly backups retained 12 months.
  • Backups stored in a different geographic region from production.
  • Documented runbook for full restore; quarterly restore drill.
  • RPO (recovery point objective): 24 hours.
  • RTO (recovery time objective): 8 hours.
11 · Contact

Contact and Documentation

For security reports, compliance documentation, or formal questionnaire responses:

Vulnerability reports

Responsible disclosure, 48-hour acknowledgment, no legal action against good-faith research.

Compliance documentation

SOC 2 readiness summary, DPA, subprocessor list, and pre-filled security questionnaires.

Security Overview PDF

One-page architecture summary suitable for procurement files. PDF coming soon.

Mailing address iDharma LLC
Indiana, United States

Related

Trust & Safety How we verify consultants and protect buyers. Privacy Policy GDPR + CCPA baseline, data subject rights, retention. Data Processing Agreement Full subprocessor list with addresses and roles. Vulnerability Disclosure Scope, safe harbor, and reporting workflow.