Information Security Standard

Version: 1.0 Effective Date: 29 June 2026

This Information Security Standard describes the security program, controls, and practices that Dimensionless Technologies Private Limited ("Dimensionless," "we," "us," or "our") applies to PropelPro, our AI-native RFP and bid management platform (the "Service"). It is intended to support partner, customer, and vendor due-diligence reviews by providing a consolidated view of how PropelPro is designed, deployed, operated, and secured.

1. Overview and Purpose

Dimensionless Technologies Private Limited is incorporated under the laws of India, with its registered office at Centre for Incubation and Business Acceleration (CIBA), 6th Floor, Agnel Technical Complex, Sector 9A, Vashi, Navi Mumbai, Maharashtra, India – 400703.

This document is maintained by the Office of the COO and is reviewed at least annually, or upon any material change to the architecture, control environment, or regulatory context, whichever is sooner.

2. Security Governance and Ownership

  • Executive accountability for information security and privacy rests with the Chief Operating Officer (COO), Kushagra Singhania, who serves as the senior owner for the information security program, privacy, and this Standard.
  • Dimensionless operates an Information Security Management System (ISMS) that is documented, maintained, and continually improved, and that governs how systems and data are protected across the design, development, and operation of the Service.
  • Information security roles and responsibilities are formally defined and allocated to accountable leadership, with conflicting duties segregated to reduce the risk of unauthorized or unintentional misuse of assets.
  • Management review meetings are held to evaluate the security posture, audit results, risks, incidents, technology trends, and security initiatives, and to drive continual improvement of the ISMS.
  • Information security policies and procedures are documented, approved, communicated to personnel, and reviewed at planned intervals to ensure continuing suitability, adequacy, and effectiveness.

3. Certifications, Audits, and Compliance

  • ISO/IEC 27001:2022: Dimensionless holds an ISO/IEC 27001:2022 certification for its Information Security Management System, issued by InterCert (Registration Number IC-IS-2606126; Statement of Applicability version 1.0). The certified scope covers the design, development, deployment, and delivery of Dimensionless's AI-powered software products and services, including supporting IT, Information Security, Human Resources, Legal & Compliance, Finance, and Vendor Management functions. Initial certification and issue date: 11 June 2026; surveillance validity date: 10 June 2027; recertification date: 10 June 2029.
  • SOC 2 Type II: Dimensionless maintains an independent SOC 2 Type II attestation covering the Trust Services Criteria for Security, Availability, and Confidentiality for the PropelPro service, examined by Percilchofe CPA LLC (CPA License No. 1188) for the period 1 March 2026 to 31 May 2026. The examination uses Microsoft Azure as a subservice organization under the carve-out method. The full report is available to partners and prospective customers under NDA on request.
  • Independent penetration testing (VAPT): Vulnerability assessment and penetration testing of the network and application is performed at least annually by an independent third party, with identified vulnerabilities tracked through to closure. A summary or attestation can be shared under NDA on request.
  • Data protection compliance: The Service and Dimensionless's processing activities are designed to comply with the EU General Data Protection Regulation (GDPR) and the Digital Personal Data Protection Act, 2023 (India) (DPDPA). Controller/processor roles and obligations are set out in the Data Processing Addendum referenced in the References section.

The full SOC 2 Type II report and ISO/IEC 27001 certificate are provided to partners and customers under NDA as part of the due-diligence process.

4. Deployment Models and Data Boundaries

PropelPro is offered under three deployment models. The same governance principles — encryption, tenant isolation, layered access control, human-in-the-loop gating, continuous monitoring, and audit logging — apply across all three. The models differ in the physical and organizational boundary within which processing occurs.

  • Multi-Tenant SaaS (default): The Service is hosted within Dimensionless's managed Microsoft Azure environment. Each client's data is logically isolated through dedicated per-tenant data stores and dedicated identity tenants, with shared, stateless application services. Data residency region(s) are selected and contractually committed at onboarding.
  • Customer Cloud (single-tenant / private deployment): The Service is deployed within a cloud environment designated by or for the client, providing physical separation of compute and data stores with no shared infrastructure with any other client.
  • On-Premises (private deployment): The Service is deployed entirely within the client's own infrastructure or data center, with all processing occurring within the client's network boundary.

In all models, no cross-tenant data access is possible by design: in the multi-tenant SaaS model this is enforced through dedicated per-tenant data stores and identity tenants with strict access enforcement; in the private deployment models it is structural, since each client's environment is wholly separate infrastructure. Allocation of operational responsibility for each model is documented in the Master Services Agreement (MSA) and applicable Order Form; where a deployment model places infrastructure under the client's control, the client is responsible for implementing complementary controls.

5. Data Protection and Encryption

  • Encryption at rest: Customer data — including documents, embeddings, prompts, completions, and agent outputs — is encrypted at rest using AES-256 with Azure-managed keys.
  • Encryption in transit: Data in transit is protected using TLS (SSL/TLS, SHA-256) for all communication over public networks, in accordance with the cryptography standard, which also defines requirements for the generation, use, protection, audit, and rotation of cryptographic keys.
  • Tenant isolation: Client data is logically separated in the multi-tenant SaaS model (dedicated database, storage, and identity tenant per client) and physically separated in private deployments.
  • Data residency: Residency is configurable on a per-customer, per-contract basis. Cloud resources are provisioned within the region(s) committed for the customer; the platform has been deployed across Azure Central India, South India, and UAE North regions, and can be configured to operate from other available Azure regions or within a customer-controlled environment to meet local sovereignty requirements.
  • Secrets management: Application secrets and keys are managed through dedicated key-vault services within the Azure environment.

6. Access Control and Identity

  • Least privilege: Access is granted on a least-privilege basis by default, with any additional access requiring explicit approval. Permissions to individual accounts are restricted based on role and job requirement.
  • Role-based access control (RBAC): Predefined, role-based security groups are in place for in-scope systems, with privileged access allocated on a need-to-use basis in line with job responsibilities and controlled per the access control policy.
  • Multi-factor authentication (MFA) and SSO: Workforce access is protected behind single sign-on (SSO) with enforced multi-factor authentication, particularly for access to cloud resources and administrative consoles. Access to in-scope systems requires authentication via an individual user account using multi-factor or two-step authentication.
  • Privileged Identity Management: Privileged and administrative access is governed through approval workflows, just-in-time elevation, access reviews, and audit reporting.
  • Provisioning and de-provisioning: Access is granted only against written authorization upon joining, and is removed as part of a defined exit process. Account deactivation is initiated on the last day of employment and access is disabled within one business day; reactivation of credentials belonging to exited personnel is prohibited.
  • Access reviews: Access to in-scope data, systems, and services is reviewed on a quarterly basis to confirm continued appropriateness, with user access lists reconciled against active HR records.

7. Network and Infrastructure Security

  • Azure Landing Zone architecture: The Service runs on a hub-and-spoke Azure Landing Zone with segregated management groups and subscriptions for control plane, hub/connectivity, and data plane (non-production and production), enforcing separation between environments.
  • Perimeter protection: Internet-facing traffic is fronted by Azure Front Door Premium providing Web Application Firewall (WAF), CDN, DDoS protection, and TLS termination.
  • Network isolation: Production systems are protected within a virtual private cloud (VPC) using virtual-firewall security group rules. Production servers reside in private subnets behind private endpoints, and direct access to production instances is restricted to authenticated SSH (2048-bit keys) or authenticated secure browser sessions over HTTPS. Access to modify security group rules is restricted to administrators.
  • Hardening: Production hosts and security groups are hardened in accordance with industry best practice and CIS benchmarks, with defined configuration and hardening standards maintained by management.
  • Threat detection: Defender for Cloud, endpoint protection, and security monitoring systems are used to monitor and analyze in-scope systems for malware, server and application vulnerabilities, insider threats, and unwanted traffic, generating alerts for possible or actual security events.

8. Secure Software Development Lifecycle

  • Environment separation: Application development and testing are performed in environments separate from production.
  • Version control and peer review: Source code, documentation, and release management are maintained in a version control system with access approved by a system administrator. Application code changes, code reviews, and tests are performed by someone other than the individual who made the change, enforcing segregation of duties.
  • Security scanning: The development pipeline incorporates security scanning as part of the secure SDLC to identify vulnerabilities prior to release.
  • Change management: Changes are recorded, evaluated, authorized, planned, communicated, tested, and implemented through a defined change-management process before deployment to production. Change requests include risk assessment, implementation, and rollback plans, and the process enforces segregation between authorization, development, testing, and implementation.

9. Vulnerability and Risk Management

  • Risk assessment: A formal Risk Assessment and Risk Treatment procedure is maintained. Risks are identified, rated by likelihood and impact, and treated (treat, transfer, avoid, or accept) against an organizational risk threshold, with outputs captured in a risk register and treatment plan.
  • Vulnerability scanning: Internal vulnerability scans are performed on network devices and services per the audit calendar, with remediation actions monitored to completion.
  • Independent VAPT: Third-party vulnerability assessment and penetration testing is performed at least annually, with findings tracked to closure.
  • Remediation SLAs: Identified vulnerabilities are managed on a risk-based basis and tracked through to closure, with remediation prioritized by severity against the following default target timelines (specific commitments may be further defined in the applicable client MSA):
  • Patch management: Operating system and application patches, particularly those marked critical or security-related, are tested and applied as they become available.

10. Endpoint Security

  • Endpoint protection: Endpoint protection (antivirus, anti-malware, and threat protection) is implemented on workforce devices, with virus definitions updated automatically and email scanning enabled to prevent malicious scripts and content.
  • Content filtering: Internet access from corporate systems is routed through content filtering via a proxy.
  • Monitoring: Endpoint logs are reviewed, and endpoint posture is monitored as part of ongoing security operations.

11. Logging, Monitoring, and Audit

  • Two levels of logged activity: PropelPro logs (a) user-level events — who performed an action, what the action was, the RFP or workspace it applied to, and the timestamp; and (b) system and AI-level events — infrastructure activity, model invocations, prompt version references, the workflow and guardrail configuration in effect at execution, and output evaluation results.
  • Unified monitoring: Application, infrastructure, and AI-evaluation telemetry are captured in a single log-monitoring framework (Azure Monitor, Log Analytics, and Application Insights), enabling correlation of an AI-driven output with the model, prompt version, guardrail configuration, and evaluation result that produced it.
  • Log retention (Multi-Tenant SaaS): Logs are retained for 90 days in hot/online storage and up to 1 year in archive.
  • Customer access to logs: Structured log exports, including AI-specific activity, can be made available to client administrators or compliance teams on request and scoped to meet audit or regulatory requirements as agreed in the MSA. Where a client operates an existing security monitoring platform, log-forwarding integration can be scoped during deployment. In private deployments, the same logging structure is implemented within the client's own environment, where the client's tooling becomes the primary store of record.

12. Incident Management and Response

  • Documented procedures: A formal, documented incident management policy and response procedures guide personnel in handling incidents, including the process for informing the entity about actual and potential events affecting system security.
  • Reporting and tracking: A ticketing system allows internal and external users to report security failures, incidents, and concerns. Incidents are logged with incident type, date/time, details, action taken, and root cause (for selected high-risk incidents), and are managed through to resolution by the responsible response and security operations functions.
  • Review and remediation: Incidents are evaluated, corrective and preventive actions are completed, root-cause analysis is performed for major incidents, and incidents are reviewed by management as part of the management review process.
  • Breach notification: Where a security breach affecting customer data is confirmed, affected customers are notified within 48 hours of confirmation of the breach, with further detail and root-cause information provided as the investigation progresses. Specific notification commitments may be further defined in the applicable MSA and Data Processing Addendum.
  • Communication: Protocols are in place for communicating security incidents and actions taken to affected parties, including root-cause information where appropriate.

13. Business Continuity and Disaster Recovery

  • BCP/DR plans: Dimensionless maintains a documented Business Continuity Procedure and Plan, including disaster recovery guidelines, with defined roles and responsibilities and identification of critical applications, systems, personnel, and data based on a business impact analysis.
  • High availability: The platform is implemented in a high-availability configuration using multiple, redundant availability zones, with load balancing and auto-scaling enforced within the cloud environment, and multiple ISPs for link redundancy.
  • Backups (RPO): Incremental and full backups of production databases are performed on a daily basis to support availability and restoration.
  • Recovery objective (RTO): For the Multi-Tenant SaaS model, the target Recovery Time Objective is 4 hours. RPO/RTO targets for private deployments are defined per the applicable client MSA.
  • Testing: Business continuity and disaster recovery plans, including restoration of backups, are tested at least annually, with issues identified during testing investigated and remediated.

14. AI Governance and Agentic Controls

PropelPro's AI capabilities are built on a layered architecture that separates proprietary application logic (orchestration, retrieval, guardrails) from third-party foundation-model inference, which is delegated to enterprise-grade, contractually governed providers.

  • No training on client data: No client data — including prompts, completions, embeddings, or uploaded document content — is used to train or fine-tune any foundation model. In the SaaS model this is a contractual guarantee from the managed enterprise AI platform; in private deployments, models run within the client's own infrastructure and Dimensionless has no access to inference inputs or outputs.
  • Versioned configuration: Model selection, prompts, agent workflows, guardrail thresholds, and retrieval configuration are maintained as versioned, change-managed artefacts, making AI behavior changes attributable and reviewable.
  • Layered guardrails: Agents operate only within strictly defined, onboarding-configured workflows; consequential actions (proposal drafts, submittal identification, bid/no-bid recommendations) are gated by human-in-the-loop approval before being progressed or finalized; and outputs pass through validation and continuous evaluation checks.
  • Ephemeral sandbox execution: Agentic actions requiring code or tool execution run within ephemeral, task-scoped sandboxes that are torn down on completion, bounding the blast radius of any single action and preventing state from persisting across tasks or tenants.
  • Continuous evaluation: Output quality and behavioral drift are monitored through evaluations embedded as a step within the governed workflow, with results captured in the unified monitoring framework.

A detailed AI Governance and Lifecycle Management Policy is maintained internally and is available to partners and customers under NDA as part of due diligence.

15. Personnel Security

  • Background checks: Background verification checks are conducted on candidates for employment and contract work in accordance with relevant laws and in proportion to the role and the classification of information accessed.
  • Confidentiality agreements: All employees and relevant contractors sign confidentiality/non-disclosure agreements and agree to an acceptable use policy before being granted access to information assets.
  • Security awareness training: Personnel complete mandatory security and privacy awareness training upon hire and at least annually thereafter, along with code-of-conduct training.
  • Code of conduct and disciplinary policy: HR policies include a code of conduct and a disciplinary policy addressing employee misconduct.

16. Physical Security

  • Entry to office premises is restricted to authorized personnel through physical access control systems, with access to sensitive areas granted only to privileged users against written approval and reviewed at least quarterly.
  • Premises are monitored via CCTV at key entry/exit points, visitors are registered and issued identification-only badges, and environmental controls (fire detection/suppression, UPS for power resilience) are maintained and tested, including an annual fire drill.

17. Data Retention and Deletion

  • Document and index data is retained for as long as the client relationship and applicable contract terms require.
  • Upon contract termination or client request, Dimensionless supports complete and auditable deletion of operational data, backups, and configurations in line with the terms agreed in the MSA and Data Processing Addendum, and can provide an offline archive of client data post-termination where contractually agreed.
  • A Data Retention and Disposal Policy and a Media Handling Policy govern the appropriate retention, disclosure, and secure disposal of sensitive, confidential, and personal information, including erasure of data from media prior to disposal.

18. Third-Party and Subprocessor Management

  • A vendor management process requires signed contracts covering scope, roles and responsibilities, compliance requirements, and service levels where applicable, along with confidentiality/NDA terms.
  • Where a subprocessor provides an independent security attestation (such as SOC 2), management reviews it to confirm that outsourced controls are appropriately designed and operating effectively.
  • The current list of subprocessors — including the cloud infrastructure and enterprise AI platform providers used to deliver the Service — is disclosed in the Data Processing Addendum referenced in the References section.

19. Application and API Integrations

PropelPro may integrate with third-party business applications (for example, CRM, productivity, or document-management platforms) where a client enables such an integration. All integrations follow the security principles defined in this Standard:

  • Authentication: Integrations use industry-standard authorization protocols (such as OAuth 2.0) with scoped, least-privilege access; long-lived static credentials are avoided where the integration platform supports token-based access.
  • Data minimization: Only the data required to deliver the integrated functionality is accessed, and third-party application data is not persisted within PropelPro unless functionally necessary and contractually agreed. Where persistence is required, the data is subject to the tenant isolation, encryption, retention, and deletion controls described in this Standard.
  • Transport security: All integration traffic is encrypted in transit using TLS.
  • Change control and review: New integrations are introduced through the secure SDLC and change-management processes described in Section 8, and any associated subprocessors are governed under the vendor management process described in Section 18.
  • Client control: Integrations are enabled at the client's direction and can be revoked by the client; access tokens are revocable and de-provisioned on termination of the integration.

These principles apply equally to integrations that are currently available and to those on the product roadmap.

20. Insurance

Dimensionless maintains commercial insurance coverage appropriate to its operations, including Commercial General Liability and Professional Indemnity / Errors & Omissions (E&O) insurance. Evidence of coverage can be provided to partners and customers under NDA on request, subject to business need.

21. References

The following documents are incorporated by reference and available at the links below (or under NDA where indicated):

  • Privacy Policy: propelpro.ai/privacy
  • Data Processing Addendum (DPA), including subprocessor list: propelpro.ai/dpa
  • SOC 2 Type II report, ISO/IEC 27001 certificate, VAPT summary, and AI Governance & Lifecycle Management Policy: available to partners and customers under NDA on request.

22. Contact

Security, privacy, and compliance inquiries relating to this Standard may be directed to:

  • Security & privacy contact: Office of the COO, Kushagra Singhania — privacy@propelpro.ai
  • General support: support@propelpro.ai
  • Registered office: Dimensionless Technologies Private Limited, CIBA, 6th Floor, Agnel Technical Complex, Sector 9A, Vashi, Navi Mumbai, Maharashtra, India – 400703

Version 1.0 — Effective 29 June 2026. This document is maintained by Dimensionless Technologies Private Limited and is reviewed at least annually or upon material change.