A product of TwinStance Solutions LLP · LLPIN: AAQ-0042 · Est. July 2019 · Cuttack, Odisha
HomeContactFAQ
Home/Security

Security by Design

WYNTIQ is built for environments where data security is not optional — Indian defence installations, classified operational deployments, and enterprise operations where audit integrity is legally required. Every layer of the platform is designed with security as a first principle.

🔒 AES-256 Encryption
🇮🇳 Data Stays in India
📡 Air-Gap Capable
🔗 Tamper-Proof Audit Chain
🛡️ DPDPA Compliant
🔐
Encryption Standard
AES-256
🌐
Transit Protocol
TLS 1.3
🇮🇳
Data Location
India Only
🔗
Audit Trail
Hash Chain
Encryption
How WYNTIQ Protects Your Data

WYNTIQ implements encryption at every layer where data could be exposed — at rest, in transit, and on device. The encryption standards used are the same standards adopted by intelligence agencies and defence organisations globally for their most sensitive data.

💾
Encryption at Rest
All data stored in WYNTIQ — whether on cloud servers, on-premise servers, or on individual devices — is encrypted using AES-256. AES (Advanced Encryption Standard) with a 256-bit key is the encryption standard recommended by the US National Security Agency for top-secret information, and is considered computationally unbreakable with current and projected future computing technology. This means that even if a server's storage media or a device's internal storage were physically extracted, the data would be completely unreadable without the cryptographic key.
Algorithm: AES-256-GCM
Key Management: Per-tenant encryption keys, HSM-backed on cloud
Device Storage: Browser IndexedDB with Web Crypto API encryption
🌐
Encryption in Transit
All data transmitted between WYNTIQ devices and servers uses TLS 1.3 — the most current version of Transport Layer Security. TLS 1.3 provides forward secrecy, meaning that even if an encryption key were compromised in the future, previously captured encrypted traffic could not be decrypted. TLS 1.3 also eliminated several vulnerability classes present in older TLS versions. Certificate pinning is implemented to prevent man-in-the-middle attacks in environments where network traffic may be intercepted.
Protocol: TLS 1.3 (TLS 1.2 minimum, earlier versions disabled)
Certificate: SHA-256 with RSA-4096 or ECDSA P-384
HSTS: Enabled with 1-year max-age and preloading
🔑
Password Security
User passwords are never stored in readable form. WYNTIQ uses bcrypt with a work factor of 12 for password hashing — a one-way function that cannot be reversed. Even if the complete user database were extracted by an attacker, passwords could not be recovered from the stored hashes. The work factor is set to ensure that brute-force attacks against hashed passwords are computationally expensive. Password complexity requirements — minimum length, complexity rules, expiry intervals, and account lockout — are configurable by system administrators to match the organisation's security policy.
Hash Algorithm: bcrypt, work factor 12
Salt: Per-user random salt (built into bcrypt)
2FA: TOTP (RFC 6238) and SMS OTP options
📱
Device Security
Devices running WYNTIQ are a potential attack surface — particularly for field deployments where devices may be lost or captured. WYNTIQ addresses this through device-level encryption (all cached data encrypted on device using the Web Crypto API), session timeout (sessions expire after configurable inactivity periods requiring re-authentication), remote wipe capability (administrators can remotely clear WYNTIQ data from lost devices), and data compartmentalisation (each device caches only data relevant to its configured role and location — limiting exposure from any single device compromise).
Local Storage: Encrypted with device-bound key
Session Timeout: Configurable, default 30 minutes
Remote Wipe: On next network contact
Deployment Models
Three Deployment Options — One for Every Security Requirement

WYNTIQ offers three deployment models providing progressively higher levels of data isolation. Organisations choose the model appropriate to their security requirements and operational constraints.

☁️
Cloud Deployment
Hosted on TwinStance Solutions' managed infrastructure in India. Data never leaves Indian data centres. Suitable for enterprise customers and non-classified defence administrative functions.
  • ✅ Data hosted in India only
  • ✅ AES-256 encryption at rest
  • ✅ TLS 1.3 in transit
  • ✅ 99.5% uptime SLA
  • ✅ Automatic backups every 6 hours
  • ✅ Automatic security updates
  • ⚠️ Data managed by TwinStance Solutions
🖥️
On-Premise Deployment
Installed on the customer's own servers within their own network perimeter. No data transmitted externally. Full data control with TwinStance Solutions providing software and support.
  • ✅ Data on customer infrastructure only
  • ✅ No data leaves customer network
  • ✅ Full customer data control
  • ✅ Regular update packages provided
  • ✅ Remote technical support available
  • ✅ Suitable for sensitive installations
  • ⚠️ Customer manages hardware reliability
🔒
Air-Gapped Deployment
Completely isolated installation with no network connection to the outside world. Zero data ever leaves the installation. The highest level of data isolation available — designed for classified defence environments.
  • ✅ Zero external network connectivity
  • ✅ No internet required — ever
  • ✅ Updates via encrypted physical media
  • ✅ On-site support by Indian citizens only
  • ✅ Full offline operation on all devices
  • ✅ Local LAN sync between devices
  • ✅ Suitable for classified environments
Tamper-Proof Audit Trail
Every transaction in WYNTIQ is permanent, attributable, and mathematically verifiable. Nothing can be hidden, nothing can be changed, and nothing can be selectively omitted.
Append-Only Architecture
The audit trail in WYNTIQ is technically append-only. Records can be created but never modified or deleted — this constraint applies to every user including system administrators and TwinStance Solutions staff. Once a transaction is recorded, it is permanent. Attempts to modify or delete records are technically prevented by the database architecture, not just by access control rules. Access control rules can be changed — technical impossibility cannot.
Cryptographic Hash Chain
WYNTIQ implements a cryptographic hash chain across all audit records. Each record includes a SHA-256 hash of the previous record's content. This creates a chain where any modification to any historical record — even a single character change — would cause the hash of that record to change, which would cause the hash of the next record to change, cascading through the entire chain. The hash verification can be run at any time to prove that the complete audit trail has not been tampered with since creation.
Record #4821a3f8c9d2e1b7... → SHA-256 → 7f4a2c91e8d3...
Record #4822prev_hash:7f4a2c91... → SHA-256 → 2b9e5a4f1c8d...
Record #4823prev_hash:2b9e5a4f... → SHA-256 → 9c1f7e3b4a2d...
Full Attribution on Every Record
Every record in the audit trail includes the complete attribution required for accountability: which user performed the action (name, rank, user ID), what action was taken, on which item or demand, at what time (server-side timestamp, not device time which could be manipulated), under whose authority, and any accompanying notes or justification. For approval actions, the approving officer's digital signature is captured as evidence of the decision. For override actions, the authorising officer's credentials, timestamp, and stated justification are all permanently recorded.
Certified Export for Inspections
WYNTIQ can generate certified audit exports — CSV files that include all transaction records for a specified period and scope, along with the hash verification metadata that proves the records have not been tampered with. The export itself includes a digital signature from the WYNTIQ system. These certified exports can be submitted as documentary evidence for Courts of Inquiry, CAG inspections, statutory audits, and legal proceedings, with the technical evidence of their integrity available to support their authenticity.
Access Control
Six-Tier Role-Based Access

WYNTIQ implements strict role-based access control where each user can only see and do what their role requires. Access is determined at the application level — users are not just shown less, they technically cannot access data or functions outside their role scope.

👷 Technician
Raise demands · View own demand status · Confirm receipt · Cannot see inventory levels · Cannot approve · Cannot access other users' demands
L1
🎖️ Officer
Review and approve demands requiring procurement · View all demands in area of responsibility · Cannot issue from store directly · Cannot see financial details beyond demand value
L2
📦 Logistics
Issue items from store · Receive vendor deliveries · Check all inventory · Process inter-site transfers · View all pending demands · Cannot approve financially
L3
💼 Accounts
Review and approve financial aspects of procurement demands · Budget verification · Expenditure authorisation · Cannot see operational details beyond what is financially relevant
L4
🚚 Vendor
View own purchase orders only · Acknowledge PO receipt · Confirm delivery details · Zero access to any internal system data · Isolated vendor portal access
L5
⚙️ Admin
Full system access · User management · Configuration · All reports and transaction history · Cannot modify or delete audit records (technically prevented)
L6
Data Sovereignty
India Data — India Only

For Indian defence and enterprise customers, data sovereignty is not just a preference — it is a strategic and regulatory requirement. WYNTIQ's data sovereignty commitment is absolute and unconditional.

🗄️
Data Location
All WYNTIQ cloud data is stored on servers physically located in India. TwinStance Solutions does not have data centres outside India and does not contract with foreign cloud providers for customer data storage. Customer data is never replicated to servers outside India under any circumstances — including for backup, disaster recovery, or analytics purposes.
👥
Personnel Access
WYNTIQ is designed, developed, and maintained by TwinStance Solutions LLP — a registered Indian company (LLPIN: AAQ-0042) with all employees being Indian citizens based in India. No foreign personnel have access to WYNTIQ's codebase, infrastructure, or customer data. For classified defence deployments, on-site personnel are subject to appropriate security clearance processes.
📜
Legal Jurisdiction
WYNTIQ is a product of an Indian company governed by Indian law. Customer contracts are governed by Indian law with disputes subject to Indian jurisdiction. There are no provisions that subject WYNTIQ data to foreign court orders, foreign regulatory requirements, or foreign government access requests. The entire legal and operational chain for WYNTIQ is Indian.
🔧
Supply Chain Security
WYNTIQ is built with open-source components that are reviewed before adoption and kept updated to address security vulnerabilities. All dependencies are documented and their security status is tracked. TwinStance Solutions does not rely on components from sanctioned countries or organisations, ensuring that there are no supply chain vectors for foreign interference in the platform's operation.
Regulatory Compliance
Compliance Framework
DPDPA 2023
Digital Personal Data Protection Act, 2023
WYNTIQ processes only personal data necessary for operation — user names, role, contact details — and uses it only for stated purposes. Users have rights to access, correct, and delete their data. TwinStance Solutions does not sell or share personal data.
✅ Compliant
MeitY Guidelines
Ministry of Electronics & Information Technology
WYNTIQ follows MeitY guidelines on data localisation and government cloud deployment requirements for platforms handling sensitive government and defence data.
✅ Aligned
ISO 27001
Information Security Management
TwinStance Solutions follows ISO 27001 information security management principles for its internal operations. Full ISO 27001 certification is on the roadmap for 2026.
🔄 In Progress
OWASP Top 10
Open Web Application Security Project
WYNTIQ is developed with OWASP Top 10 web application security risks as a baseline security checklist. Periodic security reviews assess WYNTIQ against the current OWASP Top 10.
✅ Implemented
DCA Guidelines
Defence Cyber Agency, Ministry of Defence
TwinStance Solutions is prepared to cooperate with Defence Cyber Agency evaluation for defence deployments requiring formal security certification. Technical documentation is available on request.
🔄 Evaluation Ready
CERT-In
Indian Computer Emergency Response Team
WYNTIQ is operated in compliance with CERT-In guidelines on information security practices for Indian IT organisations, including incident reporting obligations.
✅ Compliant
Security documentation available on request
For formal security evaluations, procurement due diligence, or Defence Cyber Agency assessments — TwinStance Solutions provides complete technical security documentation including architecture diagrams, data flow maps, and security assessment reports.
Request Security Documentation →