Trust starts with how we treat your data. At Capillary Technologies, privacy isn’t a feature to toggle on. It’s a basic right and a sign of respect for every person we serve. Every business, big or small, owes its customers care, dignity, and clear communication about their information.

That is why privacy and security are built into how we work. From the first whiteboard sketch to every release, training, and support call, we ask two simple questions: Does this protect people, and does this earn trust?

We back that promise with disciplined practice. Security and privacy are part of our development process from day one. Our controls align with the world’s toughest laws and standards, including GDPR, CCPA, India’s DPDPA, and HIPAA. More importantly, we follow the values behind them: transparency, choice, fairness, and accountability. And we show our work through real features and proof points—clear consent flows, data minimization, encryption, role-based access, audits, and certifications—so you can see that privacy is not just promised but delivered.

That’s why this story matters to every role that safeguards trust—for CISOs and Security Teams, it’s about how Capillary’s infrastructure and Shield+ roadmap enable continuous compliance and zero-trust defense; for Legal and Privacy Officers, it’s about understanding how our platform operationalizes global laws into everyday action & any other persona who’s directly/indirectly associated with security.

Our Principles in Action

Transparency ensures that brands and their customers always know what data is collected, why, and how it’s protected. Choice and consent mean no marketing, profiling, or personalization happens without clear, revocable permission. Purpose limitation ensures data is used only as described, and data minimization means we collect and retain only what’s needed—never more.

Every user has the right to access and erase their data, while security and confidentiality protect that data everywhere—at rest, in transit, and across every workflow. Regional data residency gives customers control over where their data lives, and auditability ensures every critical action is logged for full accountability. These principles shape our technology, services, and partnerships, helping brands not just comply but lead on privacy.

Privacy by Design

At Capillary, privacy is built into our platform, processes, and customer partnerships from the very start. Brands are empowered to clearly communicate what data is collected, why it’s needed, and how it will be used—so customers always have control.

We ensure data minimization by reviewing every data field for business necessity. If it isn’t essential, it isn’t collected. Potentially Sensitive Information (PSI) is protected through adaptive tagging and masking across all interfaces, with strict access permissions and audit logs that record every unmasking action.

Capillary’s consent and subscription management tools enable customers to manage their communication preferences across multiple channels and message types. Brands can synchronize preferences across business units, apply country-specific DND compliance, and maintain clear, timestamped audit trails.

Data deletion requests can be initiated anytime, whether by customers or brands, with configurable scope and timing to meet regulatory or business needs. Every step—request, approval, and final erasure—is logged for transparency. Similarly, customers can securely view and modify their data through multiple channels, with full audit trails for every access and update.

To ensure accountability, every access to customer data by a service representative requires a logged reason, creating a transparent record of who did what, when, and why. Supervisors can review these logs easily, supporting both internal audit and compliance.

Built-In Data Security

Capillary enforces strong encryption across every data boundary—whether at rest, in transit, or during export. Sensitive data is encrypted with public-private key protocols, inbound files are secured in transit, and sensitive fields can be hashed for extra protection. Brands manage and rotate their own keys, with every change logged for assurance.

Our regional data residency framework allows customers to keep data within preferred jurisdictions—whether in the US, EU, Singapore, or India—meeting local compliance requirements for sectors like BFSI, healthtech, and government.

Security and privacy are reinforced by organizational practices and policies. Capillary is SOC 2 Type II compliant, with regular third-party penetration testing and pre-release security reviews for every product update. Ongoing employee training ensures every team member understands their role in safeguarding data, while automatic data deletion on client churn ensures that once a contract ends, all data is permanently erased as per retention agreements.

Privacy at Capillary is a living, operational reality—embedded in data classification, encryption, user empowerment, and global compliance. Our robust disaster recovery, business continuity, and vendor management processes ensure resilience and control. The Capillary platform is designed so businesses can confidently meet the highest bar for privacy and security, building genuine trust with customers and driving stronger relationships.

Security: A Foundational Commitment

Security at Capillary isn’t a technical checklist—it’s a promise. It starts with a simple principle: only the right users get the right access, at the right time—nobody else.

Identity and Access Management

Managing access is our first and strongest line of defense. For employees and admins, multi-factor authentication (MFA) is mandatory. Single Sign-On (SSO) integration with providers like Okta and Azure AD simplifies secure access, while Role-Based Access Control (RBAC) ensures every user has the least privilege necessary. Every action in the Access Management Console is logged for full visibility.

For integrations, OAuth 2.0 ensures secure authentication, with each client issued unique credentials and limited permissions. Capillary integrates seamlessly with platforms like SFTP, S3, Kafka, Adobe Experience Platform, and Salesforce Marketing Cloud. A centralized credentials store is on our roadmap to further restrict access and enhance auditability.

For customer apps, Capillary provides secure authentication flows—whether through in-house OTP and password-based systems or integrations with providers like Auth0, AWS Cognito, and Akamai JanRain. Enterprise clients can use OAuth 2.0 authorization code flows for advanced SSO experiences and partner integrations.

Network and Infrastructure Security

All customer data is encrypted using AES-256 at rest and TLS in transit. Comprehensive rate limiting, IP allowlisting, and secure change management prevent unauthorized access and brute-force attacks. Every critical activity is logged, monitored, and protected by Cloudflare-powered WAF and DDoS defenses, ensuring high availability and reliability.

Compliance, Assurance, and Recovery

Capillary’s controls are regularly audited against ISO 27001:2022, PCI DSS 4.0, and SOC 2 Type II standards. Routine penetration testing, quarterly disaster recovery drills, and comprehensive training programs ensure preparedness and resilience. Recovery Point Objectives (RPO) of 30 minutes and Recovery Time Objectives (RTO) of 4 hours demonstrate our commitment to uptime and continuity.

Security at Capillary means no shortcuts, no insecure protocols—just trusted, flexible control and real-world protection.