1
Encryption everywhere
AES-256 at rest and TLS 1.3 in transit. Assignee PII is never stored or transmitted in the clear.
Security & trust
Assignee data, treated like it matters.
Relocation programmes hold some of an employee's most personal information — home addresses, family details, schedules. Here is exactly how IKAN protects it, where it lives, and who we work with. Honestly stated, including what we have not certified yet.
AES-256At restTLS 1.3In transitEU / IndiaData residency
Where we stand today
Compliance status — stated honestly
We will not claim certifications we do not hold. This reflects our posture as of this quarter and is updated as it changes.
✓
SOC 2 Type I
Audit in progress
✓
GDPR-aligned
Data processing aligned
✓
AES-256 at rest
TLS 1.3 in transit
✓
Supabase EU / India
Regional hosting
Our SOC 2 Type I audit is in progress with our auditor — we are happy to share current status and our roadmap under NDA during a security review. We do not currently hold SOC 2 Type II or ISO 27001 certification.
Security posture
How the platform is built
Defense-in-depth across authentication, data access, and the assignee experience.
2
Row-level security
Postgres row-level security on Supabase scopes every record to its owner — consultants only ever see their own assignees.
3
Password-less assignee access
Assignees enter via a consultant-issued secure link or an allow-listed email — no shared passwords to leak or phish.
4
Enterprise SSO
Consultants sign in with Microsoft or Google SSO. Okta is on the roadmap for Q3 2026.
5
Audit trail & versioning
Timestamped programme snapshots, full change history, and exportable CSV metadata for ops and finance review.
6
Least-privilege publishing
A programme only becomes shareable once sign-in addresses are set, so links never go to an unverified inbox.
Data residency & privacy
Where your data lives, and how long
Regional hosting and a documented data lifecycle — configurable to your jurisdiction.
1
Regional hosting
Data is hosted in Supabase EU-Central and India regions, configurable per deployment to meet your residency requirements.
2
GDPR-aligned processing
Our data processing is aligned to GDPR, with DPDP-India readiness for assignee PII. We support data-subject requests.
3
Defined retention
Secure assignee links expire (30 days by default), and programme data follows a documented lifecycle rather than living forever.
Sub-processors
Who we work with
The third parties that process data on IKAN's behalf. We keep this list short and current.
| Sub-processor | Purpose |
|---|---|
| Supabase | Database & storage (Postgres, row-level security, regional hosting) |
| Clerk | Consultant authentication (Microsoft & Google SSO) |
| Vercel | Application hosting & edge delivery |
AES-256 at rest · TLS 1.3 in transit · Row-level security · Hosted in Supabase EU-Central & India regions · SOC 2 Type I audit in progress
Need our security pack?
Book a security-focused walkthrough or email our team — we'll share our posture, sub-processor agreements, and SOC 2 status under NDA.