Enterprise procurement reviewers can stop chasing us for status. The vendor questionnaire is on this page. Updated whenever status changes (last update: 2026-06-03).
The big-three procurement asks. Honest progress beats silence.
Engaged with auditor selection underway; observation period scoped. Type 1 first to get the controls letter on file faster.
Follows immediately after Type 1 closes — six-month observation window.
Running parallel with SOC 2 to share the ISMS work — single control set, two reports.
Privacy extension on top of 27001. Sequenced after the base ISMS is certified.
Annual third-party vulnerability assessment + penetration test. Current certificate dated within the last 12 months; share under NDA.
What Indian law actually requires of an accounting platform — not aspirational, in production.
Privacy notice, lawful-basis register, subject access endpoint, and right-to-erasure endpoint all shipped and exercisable from /dashboard/settings/privacy.
Seven-year retention guaranteed for books of account via immutable audit trail. Periods sealed with Merkle roots cannot be retroactively altered.
Every edit captured via SHA-256 hash-chain plus activity_events log — actor, before/after, IP, timestamp.
ICAI SQC-1 compliance for CA firms: two-person sign-off on engagement decisions plus immutable engagement log.
Live submission paths to GSTN. The GSP licence is the gating dependency.
Cygnet, IRIS, and Vayana under evaluation. Decision criteria: uptime SLA, IRP latency, EWB throughput cap.
Adapter implemented and tested against sandbox; flips to live the day the GSP contract is signed.
Same posture as IRP — sandbox-validated, GSP-gated. EWB cancellation + extension flows already coded.
Computer-use beta automates TRACES filings without a GSP — agent navigates the portal directly using vision + DOM tools.
Bank data acquisition strategy: consumer-consent AA route, not direct bank deals.
Primary AA candidate — broadest FIP coverage among Indian banks.
Secondary AA + statement-parsing fallback evaluated alongside Setu.
AA aggregator with strong NBFC connectivity — under evaluation for lender-side flows.
Direct corporate bank APIs are deliberately out of scope. Consumer + AA route preferred — better coverage, faster onboarding, no per-bank legal.
Aadhaar e-sign + PAdES PDF signing flow needed for filings and engagement letters.
Application Service Provider (ASP) certificate application filed with CDAC; integration code complete, blocked on cert issuance.
For pulling client KYC docs (PAN, GST cert, incorporation cert) directly with consumer consent.
Hardware Security Module-backed PAdES Level B-T signatures for archive-grade signed PDFs (audit reports, engagement letters).
GCC + APAC e-invoice mandates — where we are in each country track.
Peppol-based Phase 2 mandate. Waiting on FTA spec freeze and X.509 certificate enrolment.
Clearance + reporting model. Same posture as UAE — adapter built, awaiting cert + spec freeze.
Singapore Peppol access point onboarding underway with a certified provider.
Where your data lives, end to end. All India-resident by default.
Postgres primary in Mumbai. No client data leaves India for normal request handling.
Attachments and generated PDFs pinned to the same Mumbai region as the database.
Transactional email via Resend. Only the minimum payload (OTP, invoice PDF link) leaves our infra.
Claude API with zero-retention contract. Inference traffic is not retained for training.
First-party Vercel Analytics only — no Google Analytics, no third-party trackers.
Explicit anti-commitments. These are guardrails our customers can hold us to.
No data brokering, no aggregated-data resale, no anonymous-cohort sale. Period.
No customer data flows into model training without an explicit, per-business opt-in. Default is opt-out.
@ongravy/agent-kit is trained on synthetic + public data only. Your ledger never leaves your tenant for our model work.
Email security@ongravy.com and we'll fill out your vendor questionnaire line-by-line. Procurement calls happen with a founder, not a chatbot.