Security · Compliance · Trust

Your matters stay yours.
Every byte. Always.

Gotham is built for Indian law firms - and for the way Indian law firms actually handle privilege, confidentiality, and regulator scrutiny. Data is encrypted, India-resident, never used to train models, and auditable end-to-end.

§ 01 · Pillars

Four non-negotiables.

Everything else is implementation detail. These four are how we sleep at night.

A

India data residency

Matter data lives in AWS Mumbai (ap-south-1). Backups stay in-region. We will tell you, in writing, before a single byte crosses a border.

B

Never trained on

Your filings, drafts, and uploads are never used to train or fine-tune any model - ours, our vendors', or anyone else's. Contractually enforced with every model provider.

C

Encrypted everywhere

TLS 1.3 in transit. AES-256 at rest in RDS + S3, keys managed by AWS KMS with per-tenant scoping. Database snapshots encrypted with the same key set.

D

Audit by default

Every read, every write, every model call is logged. Partner-level audit log in the product. Tamper-evident chain for regulator-grade review.

§ 02 · Architecture

How the bytes move.

A normal request, drawn end-to-end.

  1. 1

    Edge

    Cloudflare orange-cloud proxy in front of every Gotham endpoint. DDoS, bot filtering, WAF rules tuned for legal-software abuse patterns.

  2. 2

    Auth

    Google Workspace + Microsoft 365 SSO. SCIM provisioning. Per-firm tenant isolation enforced at the row level - no shared tables, ever.

  3. 3

    Compute

    Stateless workers in our Mumbai region. Outbound traffic to model providers goes through a logging proxy that strips PII when the model doesn't need it.

  4. 4

    Storage

    Encrypted relational store for matters and metadata. Mumbai-region object store for documents. Queryable data layer powering search. All encrypted at rest with per-tenant keys.

  5. 5

    Models

    Frontier model providers under zero-retention agreements, plus a self-hosted embedding model tuned for Indian languages. No training on your data, no logging beyond 24h debug retention.

  6. 6

    Observability

    Per-tenant trace ID on every operation. Audit log is append-only; deletes go through a separate signed-action pathway.

§ 03 · Compliance

Standards we hold ourselves to.

A few are certified; the rest are operational policy you can audit on request.

StandardStatusNotes
DPDP Act 2023 (India)In effectData fiduciary obligations live. Grievance officer named at /privacy.
SOC 2 Type IIIn progressAudit kick-off Q3 2026. Pre-audit controls already operational.
ISO/IEC 27001Planned2027. Currently mapping controls.
GDPRAppliesFor non-India clients. DPA available at /security#dpa.
India BCP / DRIn effectRTO 4h, RPO 1h. Quarterly drills.
HIPAANot in scopeGotham does not process PHI.
§ 04 · Subprocessors

Who else touches your data.

Updated every quarter. Material changes are notified 30 days in advance.

VendorPurposeRegionData category
Amazon Web ServicesCompute, storage, networkingMumbai (ap-south-1)All matter data
AnthropicClaude model inferenceUS (zero-retention)Prompts only, no training
Google Cloud (Vertex)Gemini model inferenceMumbaiPrompts only, no training
CloudflareEdge, DNS, WAFGlobal anycastRequest metadata, no bodies
Google WorkspaceIdentity (SSO)EU/US per Workspace planEmail, name only
§ 05 · Responsible disclosure

Found something? Tell us.

We take security disclosures seriously. Acknowledgement within 48h, fix or roadmap within 30 days.

security@trygotham.io

Encrypted via our PGP key (fingerprint published on request). Include reproduction steps, impact, and proposed severity. We do not pursue good-faith research.

Email security
§ 06 · DPA

Data Processing Agreement.

A signed DPA is included in every MSA. Standalone DPA available on request.

Our standard DPA covers DPDP Act 2023 (India) and GDPR (where applicable). It names AWS as a sub-processor under the EU SCCs (modules 2 + 3), enumerates the data categories above, and binds Gotham to processing instructions issued by the firm as data fiduciary. Request a copy at legal@trygotham.io.