Trust

Security that stands up to scrutiny.

We operate to insurance-industry standards. Certifications, policies, and controls in one place — so your security and procurement teams don't have to ask twice.

Last updated: March 2026

1. Certifications

ISO 27001:2022. PurpleMESH Solutions, the company behind InPass, holds ISO 27001:2022 certification for its Information Security Management System. Scope covers AI product development, software engineering services, and cloud operations — including the InPass platform. Annual surveillance audits by an accredited registrar.

SOC 2 Type II. Currently in progress. Scope: Security, Availability, and Confidentiality trust services criteria. Target completion shared on request under NDA.

GDPR + DPDP Act 2023. Aligned. See our Privacy Policy for details on data fiduciary disclosures, data subject rights, and grievance redressal.

2. How We Protect Customer Data

Encryption in transit and at rest. TLS 1.2+ on every connection. AES-256 for stored data. Wallet passes are cryptographically signed using Apple PassKit certificates and Google Wallet signing keys — every pass is tamper-evident.

Access control. SSO + MFA for all internal systems. Least-privilege role-based access. Quarterly access reviews and offboarding within 24 hours of role change.

Vulnerability management. Continuous dependency scanning, scheduled penetration tests, and a coordinated disclosure policy. Critical patches deployed within 48 hours.

Incident response. Documented runbooks, 24×7 on-call rotation, and customer notification within contractual SLAs. Post-incident reports shared transparently with affected customers.

Data residency. Region-locked deployments on AWS and Azure. Customer policy data never leaves the customer's chosen region. India / EU / US deployments available.

Secure SDLC. Code review by senior engineers, SAST/DAST in CI, signed releases. Production access is logged, audited, and tightly scoped.

3. What We Don't Store

InPass is designed to be a minimum-data-residency platform:

  • We do not store full policyholder PII beyond what is required to render and deliver the wallet pass.
  • We do not store payment card data, banking credentials, or government-ID images.
  • End-user pass data is removed when the policy ends or the pass is revoked.
  • Aggregated, anonymized analytics never include individual policyholder identifiers.

4. Sub-Processors

InPass uses a small, audited set of sub-processors to operate the platform — primarily cloud infrastructure (AWS, Azure), wallet pass delivery (Apple PassKit, Google Wallet), and observability tooling. All sub-processors operate under data processing agreements.

A current sub-processor list is available on request via hello@purplemesh.in. Material changes to the list are communicated to active customers with at least 30 days' notice.

5. Customer-Available Documentation

The following documents are available to active and prospective customers under NDA:

  • ISO 27001:2022 certificate of registration
  • SOC 2 Type II report (when complete)
  • Penetration testing summary
  • Sub-processor list
  • Business continuity and disaster recovery plan summary
  • Information security policy summary
  • Data processing agreement template

6. Reporting a Security Concern

If you believe you have found a security vulnerability in InPass, please report it via hello@purplemesh.in with the subject line "Security Disclosure". We respond within 2 business days and credit responsible reporters in our acknowledgments page (unless you prefer to remain anonymous).

7. Contact

For procurement security questionnaires, audit packs, or any other trust-related question:

  • Email: hello@purplemesh.in
  • Subject: "InPass — Security Inquiry [carrier name]"
  • Company: PurpleMESH Solutions, Hyderabad, Telangana, India
Need security docs for procurement?
Tell us what your security team needs and we'll share the relevant pack under NDA — usually within one business day.
Request Docs →