Brand-fidelity AI is only useful if the system underneath it is compliant AI. Drishti is built — from the database trigger up — to satisfy the four things every premium D2C and enterprise procurement desk asks about before they sign.
Drishti maps cleanly to the Digital Personal Data Protection Act, 2023. Explicit purpose-bound consent at signup, right to erasure honoured within 30 days, scoped audit retention, and a designated Data Protection Officer role at the database level.
Built for the India–EU customer overlap. Article 20 data export ships your generations, brand vaults, and metadata as a structured ZIP. Article 17 erasure cascades through S3 and Postgres. Consent UX matches EU expectations — no dark patterns, no pre-ticked boxes.
Every Drishti-generated image carries a C2PA manifest signed by our studio identity and the IPTC AI Generated flag. Downstream verifiers — Adobe, Meta, news desks — can confirm provenance without trusting our metadata API.
Every tenant-scoped Postgres table runs RLS with FORCE enabled — so even the schema owner cannot bypass the policy. Membership checks route through SECURITY DEFINER helpers (drishti.my_workspace_ids), eliminating both recursion and the cross-tenant leak class.
audit_log refuses UPDATE and DELETE at the database trigger level. Engineers, admins, and even the DBA cannot silently rewrite history. Retention is 7 years to satisfy financial-records statutes for Indian and EU enterprise customers.
Every super, cs, dpo, and editor account must enrol TOTP before any sensitive operation. Recovery codes are one-shot and rotate. The admin dashboard refuses payouts, refunds, and DPDP responses without a fresh TOTP code in the last 5 minutes.
Amazon S3 · ap-south-1
Source product photographs you upload. Deleted from S3 automatically after seven days. Available to the verifier and renderer only — never indexed for search or analytics.
S3 · long-lived
Verified generations stay in your workspace until you delete them or invoke right-to-erasure. Customer-owned. We do not train, demo, or cross-tenant aggregate.
Postgres · ap-south-1
Every INSERT / UPDATE / DELETE on a sensitive table writes a prev/next snapshot. Append-only at the database level. Visible only to DPO and super-admin roles.
Encrypted S3 dumps
Nightly Postgres + S3 snapshots, AES-256 at rest, KMS-managed keys. Restorations require two-person authorisation and produce their own audit-log entries.
All buckets and databases sit inside the ap-south-1 (Mumbai) AWS region. Cross-region replication is opt-in per workspace and disabled by default. Customer data does not leave India unless a workspace owner explicitly enables a secondary region.
Never train models on customer images without an explicit, per-workspace opt-in.
Never use a customer's generations to demo, market, or pitch to another customer.
Never resell or aggregate brand DNA — colours, fonts, motifs — across workspaces.
Never store credit-card numbers ourselves. Razorpay tokenises; we hold a reference, not a PAN.
Never send PII to analytics platforms. PostHog autocapture is off by default; we ship coarse events only.
Never delete a row from the audit log. The database refuses the operation, not the application.
Never permit cross-tenant SELECT. Row-level security denies it even for our own engineers in production.
Every Drishti generation is graded by a separate stack from the one that produced it. Five independent checks run in parallel; the lowest sub-score floors the final fidelity. Anything under 75 is refunded automatically and never enters your library. Anything over 90 carries a gold ring on the artifact.
Note: v1 ships a CPU stub of this verifier stack — same contract, lighter weights. The full GPU verifier rolls out in P8, gated behind the existing fidelity threshold so no customer-facing promise changes between versions.
In scope: 13-204-237-151.nip.io and any sub-domain we control under this host. Out of scope: third-party services we vendor (Razorpay, S3, Gemini) — disclose to them directly.
Drishti has a designated Data Protection Officer separate from engineering. DPDP requests are logged in dpdp_requests and surfaced in the admin console for the DPO role only.
Drishti is open to a SOC 2 Type II engagement for enterprise customers committing to House or Enterprise tiers. Talk to us on the enterprise page.
Talk to enterpriseThree deliberate choices separate Drishti from a typical AI-generation SaaS. Each one cost us shipping speed; each one removes a class of failure that procurement, DPDP audit, or engineering review would have caught later anyway.
Multi-tenant SaaS that retrofits row-level security usually discovers a cross-tenant leak before the policies stabilise. Drishti turned on FORCE ROW LEVEL SECURITY in migration 0002 — before the first paying tenant signed up. Every tenant table routes membership checks through a SECURITY DEFINER helper, so the policy can't recurse on itself and the schema owner can't silently bypass it.
Application-level audit logs assume the application is honest. A compromised service account, a hurried engineer, or an upstream library bug can all drop a write. Drishti's audit log is a Postgres trigger that fires on every INSERT, UPDATE, and DELETE on sensitive tables — and a second trigger refuses UPDATE and DELETE on the log itself. Bypassing it requires DBA access, which itself produces an entry.
A GPU-grade verifier costs more than the renderer it's grading. Drishti v1 ships a CPU stub of the verification stack so the customer contract — refund under 75, gold ring over 90 — is real from day one. P8 swaps the stub for the GPU version without renegotiating any threshold the customer signed up to. We'd rather under-promise on score variance than over-promise on capability.
Source code reference: this argument is grounded in migrations 0002 and 0003 of the Drishti repository. The repository (github.com / Yashraj00700 / drishti) is private through the P10 review and will be published — code, policies, and migration history intact — after the open-source review completes. We say so honestly because the trust signal is the openness, not the badge.
