The SpineBooksCompliancePricingDocsBook a demo
Security

The spine is the
security feature.

An append-only log of every fact your business produces is not a security risk. It's the strongest auditable record you can build. The architecture works for security in the same way it works for accounting.

What the architecture gives you.

Most security incidents in business software fall into two buckets: somebody changed something they shouldn't have, or somebody saw something they shouldn't have. The spine attacks the first one structurally and the second one with the tools you'd expect.

Append-only.
Nothing is ever edited. Nothing is ever deleted. Every action taken in your account is on the log, with the actor, the time, the inputs, and the resulting state. There is no equivalent of “somebody quietly fixed it.” There is only “somebody appended a correction, and here it is.”
Capability-based.
Agents and humans don't have ambient authority. They hold specific capabilities — “approve invoices up to ₹X,” “view inventory in warehouse Y,” “post journals in entity Z.” A capability is a thing you can audit, revoke, and reason about. A role is a thing you accidentally over-grant.
Invariant-gated.
The kernel refuses any event that would break a rule. This includes rules you didn't write, like double-entry balance and stock non-negativity. Even a fully compromised agent or a malicious insider cannot post a state that violates the system's invariants. The math protects the books.
Replay.
Any moment in your account's history can be re-run. If we ever suspect something, we don't reconstruct what happened from memory. We re-run the log. The truth is right there.

The basics, done properly.

Underneath the architecture, we run the controls every serious SaaS company runs. Briefly:

Encryption.
TLS 1.3 in transit. AES-256 at rest. Separate encryption keys per tenant, rotated quarterly, managed in a hardware-backed KMS. Database backups encrypted with customer-segregated keys.
Data residency.
All customer data lives in India. Primary in Mumbai, replicated to a second Indian region. We do not move customer data outside India for any reason, including AI inference — the models we use are hosted within Indian infrastructure or operated under data-protection agreements that keep data in-region.
Authentication.
SSO via Google Workspace and Microsoft 365 by default. SAML for Enterprise. MFA enforceable per organisation. Session tokens short-lived. Suspicious-login detection on by default.
Backups.
Continuous log replication. Daily snapshot. Point-in-time recovery to any second in the past 35 days. Quarterly DR drills. Tested restores, not theoretical ones.
Vendors.
We use few sub-processors and we list them all. Customer data flows to a deliberately small set of providers. Any addition is notified in advance, with a right to object.

What we have, and don't yet.

We're young. We will tell you what we have today, not what we'll have by year-end. As of this writing:

SOC 2 Type 1.
In progress. Audit window opens this quarter. Type 2 follows the year after.
ISO 27001.
Planned for 2027. Controls already mapped; certification is a calendar matter.
DPDP Act, India.
Compliant. Data Protection Officer appointed. Notice and consent flows in place. Breach reporting procedures defined.
Penetration testing.
Annual third-party engagement. Last test concluded last quarter. Reports available under NDA on request.
Bug bounty.
Private programme today. Public programme planned once we cross the first 100 customers.
The honest framing. If your procurement requires SOC 2 Type 2 today, we are not the vendor for you yet. We will be, soon. Tell us, and we'll keep you posted.

Found something? Tell us.

We honour responsible disclosure. If you've found a vulnerability, please email security@invariant.co.in with the details. We aim for first response within 24 hours, triage within 72, and a fix timeline within a week. We credit researchers publicly when they want it. We don't litigate good-faith research. We do remember the people who help us.

security@invariant.co.in