Security & compliance built for regulated India.

Lending and voice AI touch sensitive borrower data, telecom rules, and RBI expectations. This page is our single reference for data residency, certifications, RBI-aligned controls, and TRAI compliance on Varta - so diligence doesn't stall on missing answers.

India data residency

Production workloads for Indian clients processed and stored in India by default.

Encryption in transit & at rest

TLS for every connection, AES-256 for stored call logs, transcripts, and CRM records.

Role-based access

Least-privilege permissions, branch isolation on CRM, and audit trails on sensitive actions.

Diligence-ready docs

Security overview, DPA, and vendor questionnaires available during evaluation.

Data residency

Your data stays where your regulators expect it

Mixins is headquartered in Jaipur and builds for Indian lending and fintech teams first. Customer data for India deployments - call recordings, transcripts, borrower PII, and CRM records - is processed and stored within India unless you agree a different architecture in writing.

  • Default India-region hosting for Varta and Loan CRM production environments
  • Logical tenant isolation between customers; enterprise options for dedicated infrastructure
  • Configurable retention windows for call logs, recordings, and CRM audit history
  • Sub-processors disclosed during vendor diligence with data-processing agreements
  • Cross-border transfer only with explicit contractual safeguards when required

RBI & lending regulations

Controls NBFC and lending teams can map to RBI expectations

Loan CRM and Varta are used inside regulated lending operations. We design for the practical requirements NBFCs face - outsourcing due diligence, fair-practice traceability, and IT governance - without pretending to be a substitute for your compliance officer.

  • Documentation to support RBI outsourcing and vendor due-diligence questionnaires
  • Immutable audit timelines on CRM actions - who changed what, when, and from which branch
  • Segregation of duties via role-based workflows so agents cannot bypass credit or compliance steps
  • Borrower communication history linked to accounts for fair-practices and grievance review
  • Incident response and breach notification procedures aligned with contractual SLAs
  • Work with your legal team to map product controls to your license category and board policies

Certifications

SOC 2 and ISO - where we stand today

We invest in frameworks enterprise buyers recognize. Status below is current as of publication; ask for our latest security pack if you are in active diligence.

SOC 2 Type II

In progress

Security, availability, and confidentiality controls

Our control environment is designed around SOC 2 Type II objectives. Type II attestation is in progress - request our current security overview and control matrix during evaluation.

ISO 27001

Aligned

Information security management practices

Policies and procedures mapped to ISO 27001 principles - access control, asset management, incident handling, and supplier security. Formal certification is on our roadmap; aligned practices are in place today.

Security questionnaire

Available

Standard vendor diligence pack

Architecture overview, encryption standards, subprocessors, backup and DR summary, and incident response outline - shared under NDA during sales and procurement.

TRAI & telecom (Varta)

Outbound voice compliance for India

Promotional dialing in India runs through TRAI's UCC framework and the National Do Not Disturb (NCPR) registry. Varta includes pre-dial scrubbing, calling-window enforcement, consent tagging, and audit logs - the controls ops teams need before campaigns go live.

See also the Varta product page for pre-dial compliance workflows in context.

  • NCPR / DND registry scrubbing before outbound numbers enter the dial queue
  • Promotional calling restricted to permitted hours (9 AM–9 PM IST per TRAI)
  • Separate workflows for transactional vs promotional communication with consent categories
  • Suppression lists, opt-outs, and registered-customer consent tracked per campaign
  • Timestamped audit logs for scrub results, dial attempts, dispositions, and agent actions

This page describes Mixins product and operational controls. It is not legal advice. Regulated entities should validate fit with their license conditions, board policies, and counsel before go-live.

Ready to deploy voice AI in production?

Start with Mixins Varta - our multilingual voice AI product - or talk to us about plans, integrations, and how Varta fits your customer journey.

No obligation. Just a focused conversation about your roadmap.