Compliance

ISO 27001:2022 — Information Security Management

IMAST is certified to the ISO 27001:2022 standard, the internationally recognized framework for information security management systems (ISMS). This certification covers the design, development, deployment, and operation of the entire IMAST 360 platform, including LoyaltyBoard, Distribution+, Sales Track, LeadSprint, and TrueView. Our ISMS encompasses risk assessment, security controls, access management, incident response, and continuous improvement processes.

ISO 27017 — Cloud Security Controls

As a cloud-based SaaS provider, IMAST adheres to ISO 27017, which provides guidelines for information security controls applicable to cloud services. This certification demonstrates that we implement cloud-specific safeguards beyond the baseline ISO 27001 controls, covering areas such as shared responsibility, virtual machine hardening, cloud service customer data segregation, and administrative operations security.

ISO 27018 — PII Protection in Cloud

IMAST's ISO 27018 certification validates our practices for protecting personally identifiable information (PII) in public cloud computing environments. This standard ensures that we process personal data only as instructed by our customers, provide transparency about data handling practices, and implement strong controls against unauthorized access, disclosure, or loss of personal data.

SOC 2 Type II — Security, Availability & Confidentiality

Our SOC 2 Type II report, issued by an independent auditing firm, verifies that IMAST's controls for security, availability, and confidentiality are not only properly designed but have been operating effectively over an extended observation period. This audit evaluates our internal controls, policies, and procedures against the AICPA Trust Services Criteria. The report is available to customers and prospects under NDA.

GDPR — EU Data Protection

IMAST is fully compliant with the General Data Protection Regulation (GDPR). We provide our customers with the tools and processes required to fulfill data subject rights, maintain records of processing activities, conduct data protection impact assessments, and ensure lawful data transfers. Our Data Protection Officer (DPO) oversees GDPR compliance across the organization. For details, see our dedicated GDPR Compliance page.

India IT Act 2000 — Indian Data Protection Compliance

As a company headquartered in Indore, Madhya Pradesh, India, IMAST complies with the Information Technology Act, 2000 and its associated rules, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. We implement reasonable security practices as prescribed, maintain appropriate privacy policies, and ensure lawful collection and processing of sensitive personal data.

Audit Schedule

IMAST undergoes annual external audits conducted by accredited third-party auditors. Our audit cycle includes:

• Annual ISO 27001, ISO 27017, and ISO 27018 surveillance or recertification audits
• Annual SOC 2 Type II audit covering the prior 12-month period
• Quarterly internal audits conducted by our information security team to assess control effectiveness
• Ad hoc audits triggered by significant changes to infrastructure, processes, or regulatory requirements

Requesting Compliance Documents

Customers and prospective customers may request copies of our compliance certifications, audit reports, and security questionnaire responses. Certain documents, such as the SOC 2 Type II report, are provided under a mutual non-disclosure agreement.

To request compliance documentation, please contact us at: compliance@imast.in

IMAST Operations Private Limited, Indore, Madhya Pradesh, India