Trust Center

Built for the trust enterprise buyers actually require.

SalesPort runs ₹8,572 Crore of distribution GMV for 45 dairy, FMCG, and government clients across India and Nepal. This page is where procurement, IT, and security teams find how we host, secure, and govern that data — before they sign.

Book an architecture review info@sortstring.com

ISO 27001-Aligned

Controls + quarterly pen-test

India Data Residency

AWS Mumbai (ap-south-1)

Per-Client DB Isolation

Architecture default

DPDP-Aligned

Act 2023 ready

MSME Registered

Govt. of India

₹8,572 Cr

GMV processed in production

Enterprise clients

12 Lakh

Daily transactions

Countries (India & Nepal)

The six pillars we secure SalesPort on

Distribution data is operational, financial, and — in dairy — tied to farmer livelihoods. These are the controls that protect it.

Architecture

SalesPort is built on a per-client database isolation model. Each client's distribution data — distributors, outlets, farmers, schemes, payments — lives in its own logical database boundary rather than a shared multi-tenant table keyed by a tenant ID. For enterprise and government buyers, this materially reduces the blast radius of any single-tenant issue and makes data-export, audit, and contractual data-ownership clauses straightforward. Dedicated-instance deployment is available for buyers who require physical separation.

Hosting

Production workloads run on Amazon Web Services in the Mumbai region (ap-south-1), keeping Indian client data resident in India. The platform runs the same Django + MySQL + Flutter stack that powers ₹8,572 Cr of GMV across 45 client companies, so the hosting posture is proven at production scale, not theoretical.

Encryption

All traffic between client devices, the SalesPort mobile apps, and our servers is encrypted in transit using TLS. Data at rest is encrypted at the storage layer. Field-force devices sync offline-captured orders and visits over encrypted channels, so secondary-sales data is protected from the retailer counter to the dashboard.

Access control

Access is governed by role-based access control (RBAC): a beat sales rep, a distributor, a regional manager, a finance user, and a co-operative board member each see only what their role permits. Multi-factor authentication (MFA) is enforced on admin accounts, administrative actions are written to audit logs so privileged changes are attributable, and the platform undergoes quarterly third-party penetration testing under our ISO 27001-aligned control framework.

Backups & recovery

Production databases are backed up on a daily snapshot schedule with retention, and a documented restore procedure exists so a client's environment can be recovered. Disaster-recovery expectations are set in the service agreement at deployment time rather than left implicit.

Uptime commitment

We commit to tiered availability targets — 99.5% on Starter, 99.7% on Growth, and 99.9% on Enterprise deployments — with scheduled maintenance communicated in advance. These are contractual targets in the service agreement, not marketing numbers.

Compliance & data governance

What Indian distribution and dairy procurement teams are required to maintain — and how SalesPort is built to support it.

DPDP Act 2023 (India)

SalesPort is built to support compliance with India's Digital Personal Data Protection Act 2023 — data residency in India, role-scoped access, deletion and export on request, and a documented sub-processor list. See our dedicated /dpdp-compliance statement for the detail Indian procurement teams ask for.

GST e-invoicing

AccountBook generates GST-compliant invoices and supports e-invoicing workflows aligned with the NIC Invoice Registration Portal, so distribution billing meets statutory requirements without a separate compliance tool.

NDDB / AMCS reporting

ProcuPort is built to produce the cooperative-governance and procurement reports that dairy federations and NDDB-affiliated societies are expected to maintain, including AMCS-style member and procurement records.

Data ownership

Client data remains the property of the client at all times. On contract exit, data is exported in a usable format. We do not resell, train external models on, or repurpose client distribution data.

For the India-specific detail, see our DPDP compliance statement and the deeper technical posture on the security page.

Security incident process

If a security incident affecting client data is identified, our process is to contain it, assess the scope, notify affected clients with the facts we have, and remediate — with a follow-up written summary once the issue is resolved. Notification timelines for personal-data breaches follow the expectations of the DPDP Act 2023.

Recent incidents to disclose: none. To report a suspected vulnerability or security concern, email info@sortstring.com. We acknowledge reports and work with reporters in good faith.

Audit & access requests

Enterprise and government buyers can request our vendor security questionnaire, the current sub-processor list, an architecture walkthrough, and the status of any security documentation under NDA. Email info@sortstring.com — requests are typically routed within one business day.

Sub-processors

The third-party services that may process client data as part of delivering SalesPort. We keep this list current and disclose changes to enterprise clients under contract.

Amazon Web Services (Mumbai)Cloud hosting & storage

Razorpay / PayU / Cashfree / EasebuzzPayment collection & settlement

MSG91 / ExotelTransactional SMS & voice (OTP, alerts)

DoubleTick (WhatsApp BSP)WhatsApp Business messaging

TallyAccounting / day-book synchronisation

SAP Business OneERP integration (where the client runs SAP B1)

Trust & security FAQs

Is SalesPort multi-tenant or single-tenant?

SalesPort uses per-client database isolation by default — each client's data sits in its own logical database boundary rather than a shared multi-tenant table keyed by a tenant ID. For enterprise and government buyers who require physical separation, a dedicated-instance deployment is available. This is one of the most common questions enterprise architecture teams ask, and the answer is on the page deliberately.

Where is our data stored, and does it stay in India?

Production data for Indian clients is hosted on Amazon Web Services in the Mumbai region (ap-south-1), so it remains resident in India — which matters for DPDP Act 2023 expectations and for government empanelment requirements.

Are you ISO 27001 / SOC 2 certified?

Sort String operates ISO 27001-aligned controls — per-client database isolation, encryption in transit and at rest, RBAC with MFA on admin accounts, audit logging, and quarterly third-party penetration testing. "Aligned" means we run to the ISO 27001 control framework; for current formal certification status, SOC 2, and the full security pack, email info@sortstring.com and we'll share it under NDA.

Can our security team run a review or request an audit?

Yes. Enterprise and government buyers can request our vendor security questionnaire, the sub-processor list, and an architecture walkthrough with our engineering team. Email info@sortstring.com and we will route it to the right person — usually within one business day.

What happens to our data if we leave?

Your data remains yours throughout the relationship and is exported to you in a usable format on contract exit. We do not resell client distribution data or use it to train external models.

What is your uptime commitment?

Availability targets are tiered — 99.5% (Starter), 99.7% (Growth), and 99.9% (Enterprise) — and are written into the service agreement, with scheduled maintenance communicated in advance.

Want our security pack for your procurement review?

We will send the vendor security questionnaire, sub-processor list, and set up an architecture walkthrough with the engineering team.

Request the security pack Book an architecture review