adigrity
Security

How we keep your drawings safe.

Manufacturing drawings are intellectual property. The platform that holds them has to earn the trust to do that — through deliberate engineering decisions, honest disclosure, and a paper trail you can audit. Here's what's in place today, what's coming, and how to report a security issue.

Encryption everywhere

All connections use TLS 1.2 or higher. Files at rest are encrypted by the storage layer. Passwords are stored as bcrypt hashes — we cannot recover or read them.

Data stays in India

Files on DigitalOcean Spaces in the Bangalore region. Database on managed Postgres inside India. Data does not leave the country in the ordinary course of operations.

Drawings stay private

Technical drawings and work orders are visible only to the firm and the people the firm has explicitly granted access to. Adigrity staff do not browse Firm Content.

Audit on every file event

Every drawing access, upload, download, deletion, and revision is logged with user, timestamp, IP. Audit access is available on Free; advanced filtering on Growth and above.

Daily encrypted backups

Database and file backups run automatically every 24 hours and are encrypted at rest. We test restore procedures on a recurring schedule.

Role-based access

Firms control who sees what within their team. Production, sales, accounts, and admins each see only what they need. Custom roles on Growth and above; SSO on Professional and above.

Drawings and intellectual property

How drawings actually move through the system

01

Upload

Drawings are uploaded over a TLS-encrypted connection directly from your browser to storage. They are not relayed through unrelated services.

02

Storage

Files are written to DigitalOcean Spaces (Bangalore region), encrypted at rest. Each file has a unique object key tied to your firm; access is enforced at every retrieval.

03

Access control

Only authenticated users from your firm — or individuals you have explicitly granted access to — can request a drawing. Server-side checks run on every download.

04

Versioning

Each revision creates a new version with its own object key. Old versions are preserved, ensuring the shop floor cannot accidentally cut to a previous revision.

05

Audit

Every upload, download, access, and revision is recorded with user, timestamp, IP address, and action — visible to firm admins through the audit log.

06

Deletion

Deleted drawings are removed from active systems immediately. Encrypted backup copies are retained for 90 days for compliance and disaster recovery, then permanently destroyed.

Honest disclosure

What we have today, what's coming

Some security work is foundational and ships from day one. Other work — formal certifications, advanced compliance features — happens over time. We'd rather tell you where we are honestly than overstate the picture.

Today · Live Shipping
  • TLS 1.2+ on all connections
  • Encryption at rest for files and database
  • bcrypt password hashing
  • Role-based access control
  • Daily encrypted backups
  • Comprehensive audit logging
  • Data residency in India
  • Vendor SOC 2-attested infrastructure (DigitalOcean)
Working towards Planned
  • SSO via SAML and OIDC (Professional plan)
  • Customer-managed encryption keys (Enterprise)
  • Penetration testing program
  • ISO 27001 certification pathway
  • Published uptime status page
  • Configurable data retention policies
  • Advanced audit log exports
  • Bug bounty program

No dates because we don't want to commit to dates we cannot meet. Email security@adigrity.com for the current status of any item.

Incidents

If something goes wrong

We maintain a documented incident response process. In the event of a confirmed security incident that affects user data:

  1. 01 Triage and contain within hours of detection — the priority is stopping ongoing exposure before anything else.
  2. 02 Investigate the scope of impact: what data, whose firms, what timeframe.
  3. 03 Notify affected firms by email and in-app banner without undue delay, with the facts as we know them. We do not wait until we have a complete story to start sharing what we know.
  4. 04 Notify the Data Protection Board of India where required under the DPDPA and Rules.
  5. 05 Publish a written post-incident summary within 30 days of resolution, describing what happened, what we did, and what changed.
For security researchers

Responsible disclosure

If you believe you've found a vulnerability in Adigrity, please email security@adigrity.com with a description, steps to reproduce, and a way to contact you. We will acknowledge receipt within two business days.

We commit to not pursuing legal action against researchers who:

  • Report findings privately and give us reasonable time to fix them before public disclosure.
  • Do not access, modify, or destroy data that doesn't belong to them.
  • Do not run testing against production accounts other than their own.
  • Do not conduct denial-of-service attacks or social engineering against staff or customers.

A formal bug bounty program is on our roadmap. Until then, meaningful reports are recognized publicly (with researcher consent) and may receive a token of appreciation at our discretion.

Questions about security?

Procurement teams asking for a security questionnaire, technical buyers evaluating data residency, or compliance officers preparing a vendor review — write in, and we'll send you what you need.

Email security Enterprise inquiry