Security
Built for enterprise relocation. Audited like one.
ikan handles relocation data for procurement, HR, and mobility teams who answer to auditors. Our security posture is built around least-privilege access, encrypted data at rest and in transit, short retention windows, and a vendor list you can actually inspect.
Last updated: 25 April 2026
Data handling
- Encryption at rest — AES-256 via Postgres native encryption on all primary storage.
- Encryption in transit — TLS 1.3 on every public endpoint; HSTS preloaded.
- Retention — voice transcripts are kept 30 days, voice recordings 90 days, audit logs 7 years, operational booking data for the active assignment plus statutory tax retention.
- Deletion on request — assignees and customers can request deletion at privacy@ikan.co; we honour requests within 30 days and confirm in writing.
- No model training on customer data — prompts and transcripts are never used to train third-party foundation models.
Vendors and sub-processors
Every vendor we depend on, the role they play, and where the data sits. Each link below points to the vendor’s own sub-processor list, so you can verify the chain end-to-end.
| Vendor | Role | Region | Sub-processors |
|---|---|---|---|
| Vercel | Web app hosting & edge delivery | Global (primary: US / EU) | View list |
| Supabase | Postgres database & auth | AP-South (Mumbai) | View list |
| Resend | Transactional email delivery | US / EU | View list |
| Render | Voice agent background workers | Singapore | View list |
| LiveKit | Real-time voice transport (WebRTC) | Global edge | View list |
| Cartesia | Text-to-speech synthesis | US | View list |
| Deepgram | Speech-to-text transcription | US | View list |
| Gemini reasoning models | US / EU | View list | |
| Groq | Low-latency inference | US | View list |
| Anthropic | Claude reasoning models | US | View list |
| Cloudflare | DNS, WAF, DDoS protection | Global edge | View list |
| Sentry | Error monitoring | US / EU | View list |
| PostHog | Product analytics (self-hosted EU) | EU | View list |
Compliance posture
- SOC 2 Type II — actively building toward certification; controls library, evidence collection, and continuous monitoring are in place.
- GDPR — data flows for EU-based assignees follow the EEA processing model; SCCs available on request.
- DPDP (India) — primary data residency is AP-South (Mumbai); we operate as a Data Fiduciary under the Digital Personal Data Protection Act, 2023.
- DPA — a Data Processing Addendum is available for every customer at /dpa or on request.
Access control
- Role-based access — five distinct roles: Relocation Manager (RMC), Operations, Admin, Supplier, Traveler. Each sees only the data their role requires.
- Audit trail — every write action is recorded with actor, timestamp, before-state, and after-state.
- 24-hour undo — destructive writes are reversible for 24 hours by Ops or Admin.
- SSO — Google Workspace and Microsoft Entra ID supported for enterprise customers; SCIM provisioning on request.
Incident response
- Sentry alerts on every error class, paged to on-call within 15 minutes.
- Customer-facing impact is reflected on status.ikan-residences.com within 30 minutes of detection.
- Affected customers are notified directly within 24 hours of confirmed impact.
- A written post-mortem is published to affected customers within 7 days, with root cause and remediation.
Reporting a vulnerability
Email security@ikan.co with as much detail as you can share. We respond within one business day. Our PGP key is published at /.well-known/security.txt (placeholder — fingerprint publishes alongside the SOC 2 report). We follow a 90-day responsible disclosure window and will credit reporters who request it.
Contact
Security questions: security@ikan.co. Privacy and data-subject requests: privacy@ikan.co.