_1777711377206.png)
Governance
Compliant by design.
Traqo maintains a comprehensive regulatory compliance posture mapped to SEBI CSCRF, RBI IT Framework, India's DPDP Act 2023, GDPR, SOX, ISO 27001:2022, and five industry verticals — with SOC 2 Type II, ISO 27001/27701 certifications, automated compliance monitoring, and audit-ready evidence packages for enterprise due diligence.
Live module preview
compliance.traqo.ai/dashboard
Live
Regulatory frameworks
SEBI CSCRFRBI ITDPDP 2023GDPRSOXISO 27001
Recent compliance activity
SOC 2 Type II audit completedApr 2026
Quarterly VAPT — no critical findingsMar 2026
DPDP alignment reviewMar 2026
DR quarterly drill passedMar 2026
ISO 22301 certification in progressQ3 2026
Certifications
SOC 2 Type II
Certified
ISO 27001:2022
Certified
ISO 27701:2019
Certified
ISO 9001:2015
Certified
PCI DSS
Compliant
GDPR
Compliant
§01
Current certification portfolio
All certifications independently verified by accredited auditors and available to enterprise customers upon NDA execution.
| Certification / Standard | Scope | Status | Validity | Report Availability |
|---|---|---|---|---|
| SOC 2 Type II | All production systems, infrastructure, and operational controls | Certified | Annual | Full report on NDA |
| ISO 27001:2022 | ISMS covering entire platform, infrastructure, and operations | Certified | 3 years (annual surveillance) | Certificate on request |
| ISO 27701:2019 | Privacy Information Management System (PIMS) | Certified | 3 years (annual surveillance) | Certificate on request |
| ISO 9001:2015 | Quality Management System for platform development and delivery | Certified | 3 years (annual surveillance) | Certificate on request |
| GDPR | Data processing compliance for EU data subjects | Compliant | Ongoing | DPA and compliance docs available |
| HIPAA | BAA for healthcare and pharmaceutical logistics customers | Aligned | Ongoing | BAA available on request |
| PCI DSS | Payment card data via tokenisation and secure processing | Compliant (via tokenisation) | Annual | AoC available on request |
Continuous compliance
Traqo operates on a principle of continuous compliance — automated controls testing, regular third-party audits, and a dedicated compliance team that tracks regulatory changes and implements controls within 90 days of any new requirement.
Certification roadmap
Planned expansions to meet evolving enterprise and regulatory requirements.
ISO 22301:2019
In ProgressBusiness Continuity Management — Target: Q3 2026
CSA STAR Level 2
PlannedCloud Security Alliance — Target: Q4 2026
ISO 42001:2023
PlannedAI Management System — Target: Q4 2026
FedRAMP
Under EvaluationUS Government-adjacent customers — Target: 2027
compliance.traqo.ai/dashboard
Live
Regulatory frameworks
SEBI CSCRFRBI ITDPDP 2023GDPRSOXISO 27001
Recent compliance activity
SOC 2 Type II audit completedApr 2026
Quarterly VAPT — no critical findingsMar 2026
DPDP alignment reviewMar 2026
DR quarterly drill passedMar 2026
ISO 22301 certification in progressQ3 2026
Certifications
SOC 2 Type II
Certified
ISO 27001:2022
Certified
ISO 27701:2019
Certified
ISO 9001:2015
Certified
PCI DSS
Compliant
GDPR
Compliant
Critical for NSE/BSE-listed companies
Enterprises regulated by SEBI, RBI, and MCA must demonstrate that their critical vendors comply with Indian regulatory frameworks. Traqo is designed with Indian regulatory requirements at its core.
§02
SEBI Cyber Security & Cyber Resilience Framework (CSCRF 2023)
Clause-by-clause mapping of SEBI CSCRF 2023 requirements to Traqo implemented controls.
| SEBI CSCRF Clause | Requirement | Traqo Control Implementation |
|---|---|---|
| Clause 5 — Governance | Security governance structure, CISO appointment, board-level reporting | Security governance committee; CISO with direct board reporting; quarterly security posture reports |
| Clause 6 — Identify | Asset inventory, risk assessment, data classification | Comprehensive asset inventory; annual risk assessments; data classification framework (ref Doc 16) |
| Clause 7 — Protect | Access control, encryption, network security | RBAC with MFA; AES-256 at rest; TLS 1.3 in transit; WAF, IDS/IPS network segmentation |
| Clause 8 — Detect | SIEM implementation, anomaly detection, threat intelligence | 24/7 SIEM monitoring; ML-based anomaly detection; threat intelligence feeds; real-time SOC alerting |
| Clause 9 — Respond | Incident response plan, CIRT team | Documented IR plan; dedicated CIRT team; 15-minute P1 response SLA (ref Doc 16) |
| Clause 10 — Recover | BCP/DR plan, recovery testing | Comprehensive BCP/DR (ref Doc 18); RTO 15 min / RPO 5 min; quarterly recovery testing |
| Clause 14 — BCP/DR | Full BCP/DR with regular testing | Multi-AZ deployment; automated failover; quarterly DR drills with full documentation |
| Clause 15 — Audit | Annual third-party audit, quarterly VA | Annual SOC 2 Type II audit; quarterly VAPT by CREST-certified assessors; monthly automated scans |
RBI IT Governance Framework
For Traqo customers in the financial services sector regulated by the Reserve Bank of India.
| RBI Chapter | Requirement | Traqo Control |
|---|---|---|
| Chapter 4 — IT Governance | Board-approved IT policy, IT strategy alignment | Security governance documented; IT policies board-approved; annual review cycle |
| Chapter 6 — Information Security | IS policy, access controls, encryption | RBAC with MFA; field-level encryption; AES-256 at rest; TLS 1.3; annual IS policy review |
| Chapter 8 — IT Operations | Change management, capacity planning | CI/CD with multi-stage approval gates; automated testing; capacity monitoring with auto-scaling |
| Chapter 10 — Business Continuity | Documented BCP, DR testing | Quarterly DR drills; documented BCP; multi-AZ deployment; automated failover with RTO < 15 min |
| Chapter 11 — IS Audit | Annual audit, vulnerability assessment | Annual SOC 2 Type II audit; annual third-party pen test; quarterly vulnerability assessments |
Digital Personal Data Protection Act, 2023 (DPDP)
India's landmark DPDP Act — section-by-section compliance mapping.
| DPDP Section | Requirement | Traqo Implementation |
|---|---|---|
| Section 4 | Lawful processing, consent-based processing | Consent management framework; purpose limitation enforced; lawful basis documented for all activities |
| Section 5 | Notice to data principal before collection | Privacy notice at all collection points; transparent disclosure; multi-language support |
| Section 6 | Consent — free, specific, informed, unambiguous | Granular consent mechanisms; easy withdrawal; consent records with timestamps |
| Section 8 | Reasonable security safeguards | AES-256 at rest; TLS 1.3 in transit; RBAC; SOC 2 certified security controls |
| Section 9 | Data retention limitation | Configurable retention policies per data type; automated purge workflows; documented retention schedule |
| Section 11 | Rights — access, correction, erasure | Self-service data portability; automated erasure workflows; data access portal; 72-hour response SLA |
| Section 17 | Data breach notification to Data Protection Board | 72-hour breach notification capability; automated breach detection; pre-approved notification templates |
| Section 21 | Obligations of Significant Data Fiduciary | DPO appointed; DPIAs conducted for high-risk activities; periodic audits |
GST & CMVR compliance capabilities
Integrated directly into the freight management workflow.
E-Way Bill integration
Automated generation, extension, and cancellation via NIC portal APIs; multi-GSTIN support; consolidated E-Way Bill for multi-consignment shipments
E-Invoice generation
Automated IRN generation compliant with GST e-invoicing mandates; seamless NIC e-invoice portal integration
GSTIN validation & ITC reconciliation
Real-time GSTIN verification; automated compliance status checks; GSTR-2A/2B matching; discrepancy identification and reporting
AIS 140 vehicle tracking & driver hours
Real-time tracking with AIS 140 GPS device integration; automated driving hour monitoring; fatigue management alerts per MV Act