Evidence & Verification
Proof & Track Record
Every number TCSA publishes — 500+ audits, 250+ SOC 2 attestations, zero first-time audit failures, our ratings — is explained and sourced on this one page. For each claim you will find what it counts, where the figure comes from, and how to check it without taking our word for anything.
Last reviewed: June 2026|Figures reflect internal engagement records and public review platforms as of June 2026
Section 1
The numbers, explained
Headline statistics are easy to publish and hard to check. So we apply the standard we hold clients to in audit work: a claim is only as good as what it counts and the record behind it. Here is each number we use, defined.
| Claim | What it counts | Source / verification |
|---|---|---|
| 500+ audits to date | Completed audit, certification, and compliance engagements across all frameworks — ISO 27001, SOC 2, SOC 1, VAPT, DPDP, and others — for clients in fintech, SaaS, logistics and cargo, staffing, go-to-market (GTM) and sales-tech, healthtech, and AI. | Internal engagement records to date. Client references available on request, subject to each client’s confidentiality consent. |
| 250+ SOC 2 attestations supported | SOC 2 readiness and attestation programs TCSA has supported, from gap assessment through to the issued report. | Engagement records. Final SOC 2 reports are issued by independent CPA firms, not by TCSA — our count is the programs we prepared and supported. |
| 100+ SOC 1 reports delivered | SOC 1 (SSAE 18 / ISAE 3402) attestation programs supported for service organizations whose controls affect client financial reporting — common for fintech, payroll, staffing, and logistics platforms. | Engagement records. Final SOC 1 reports are issued by independent CPA firms; our count is the programs we prepared and supported. |
| Zero first-time audit failures | Certification and attestation outcomes for engagements TCSA has prepared and supported: no client has failed a certification or attestation audit on the first attempt. | Certification and attestation outcomes across engagements to date. This is a record of results so far, not a guarantee of future outcomes. |
| 5 countries | Client headquarters locations across engagements — India, USA, UK, Australia and UAE. | Engagement records to date. |
One scope note: where an engagement requires CERT-In empanelment, that portion is delivered with CERT-In empanelled partners — we state that plainly rather than implying an empanelment we do not hold.
Section 2
Independent ratings
A single rating is easy to cherry-pick, so we triangulate three sources and label what each one actually measures. They are different instruments: public client reviews, employee reviews, and our own engagement-close feedback.
| Source | What it measures | Rating | Sample |
|---|---|---|---|
| Google Business Profile | Public client reviews of TCSA, posted by reviewers on their own Google accounts. Fully public — readable without contacting us. | 5.0★ | Public reviews; check the profile directly. |
| AmbitionBox | Employee reviews of TCSA as a workplace — a signal of how the firm treats its own people, not client feedback. | 5.0 / 5 | 3 reviews — a small sample, and we say so. |
| Client engagement feedback (internal) | Post-engagement feedback collected by TCSA at the close of engagements. Collected by us, not independently audited — labeled accordingly wherever it appears. | 4.9 / 5 | 150 responses. |
Check them yourself: the Google Business Profile and AmbitionBox pages are public — search “Tranquility Cybersecurity” on either platform and read every review directly. The 4.9/5 figure used across this site is the third row: based on client engagement feedback collected by TCSA across 150 responses, and labeled as internal wherever it appears.
Section 3
What clients say
The quotes below are from TCSA's public Google reviews, reproduced verbatim — including reviewer names exactly as posted — and grouped by the service each review describes. Every one of them can be found on our Google Business Profile.
“Got our ISO 27001 and SOC 2 done, and we breezed through the audit.”
“SOC 2 Services were excellent”
“Got our ISO 42001 Certification done with Tranquility, Smooth Experience”
“Great VAPT service with a highly professional and knowledgeable team and strong focus on manual testing. The team went beyond automated scans to uncover deeper, real-world vulnerabilities that tools often miss.”
“We reached out to TCSA for help with DPDP compliance, and they made the whole process feel much easier. Their guidance was clear, practical, and easy for our team to follow.”
“Had a great experience with TCSA! The team is knowledgeable, supportive…”
Section 4
The auditors behind the work
Numbers describe volume; these are the people accountable for it. Every TCSA engagement is led by one of the named auditors below — not routed to an anonymous pooled team — and each credential listed is one you can challenge us on.
| Name | Role | Credentials | Profile |
|---|---|---|---|
| Surendra Pal Singh | CISO & DPO | CISA · MCSE · ITIL · ISO 27001, 27701 & 42001 Lead Auditor | |
| Parth Chauhan | Lead Auditor | ISO 27001, 27701 & 42001 Lead Auditor · CEH · BE, BITS Pilani | — |
| Saundhi Chauhan | Lead Auditor | ISO 27001 & 27701 Lead Auditor |
Section 5
Anonymized engagements
Audit work is performed under NDAs, so the engagement write-ups below are anonymized for client confidentiality: real engagements, with industry, frameworks, and outcomes — but no client names. Where clients wanted to speak publicly, they did so in the Google reviews above, under their own names.
Anonymized case study
Healthcare SaaS — HIPAA + SOC 2
A healthcare SaaS company achieving HIPAA compliance and a SOC 2 attestation in a single coordinated program.
Read the engagementAnonymized case study
Fintech — ISO 27001 + RBI + DPDP
A fintech aligning ISO 27001 certification with RBI regulatory expectations and DPDP obligations.
Read the engagementAll published engagement examples live at tcsa.in/case-studies.
Section 6
Verify us
We tell prospective clients to verify every vendor they shortlist, including us. Three ways to do that, none of which require taking this page at its word:
- 1. Ask for references on a callDuring your scoping call, ask to speak with past clients — we arrange reference conversations, matched to your industry or framework where possible, subject to each client’s confidentiality consent.
- 2. Check the reviews yourselfOur Google Business Profile and AmbitionBox pages are public. Read every review, including any critical ones, without ever talking to us.
- 3. Meet the named auditor before signingAsk to meet the lead auditor who will actually run your engagement — not a salesperson — and check their credentials against the table on this page and their LinkedIn profiles.
Tranquility Cybersecurity (TCSA) —
- Gurugram (HQ): 7th Floor, Welldone Tech Park, Sector 48, Gurugram 122018
- Bengaluru: Mangalam Ecstasy, Hosabasavanapura, Bengaluru 560049
- info@tcsa.in
- +91 98715 79705
Both offices are real, staffed locations — you are welcome to visit either before engaging us. Nothing on this page is published that you cannot check from the outside.
Proof & Verification FAQs
Direct answers about how TCSA's numbers are produced — and how to check them yourself.
Why should I trust these numbers?
You should not have to trust them — that is the point of this page. Every figure is mapped to exactly what it counts and where it comes from: 500+ audits and clients in India, USA, UK, Australia and UAE trace to internal engagement records to date, the SOC 2 count to readiness and attestation programs supported, and zero first-time audit failures to certification and attestation outcomes across engagements to date. The ratings can be checked directly on Google and AmbitionBox without contacting us, and client references can be arranged on request. Anything we cannot source the same way, we do not publish.
Can I speak to past clients as references?
Yes. Ask during your scoping call and we will arrange reference conversations with past clients, matched to your industry or framework where possible. Each reference requires the client’s confidentiality consent, which is also why we arrange them on request rather than publishing a contact list.
Why are your clients anonymized?
Security and compliance work is performed under NDAs, and most clients do not want their audit history, control gaps, or compliance timelines made public. So the engagement examples on this site are anonymized — industry, frameworks, and outcome, but no names — and the only named feedback we publish is what clients chose to post publicly themselves on Google, reproduced verbatim with attribution.
Who actually performs my audit?
A named lead auditor from the table on this page — Surendra Pal Singh (CISA; ISO 27001, 27701, and 42001 Lead Auditor), Parth Chauhan (ISO 27001/27701/42001 Lead Auditor, CEH), or Saundhi Chauhan (ISO 27001/27701 Lead Auditor) — not an anonymous pooled team. You can meet your lead auditor before signing anything, and verify their credentials on LinkedIn first. Where a scope requires CERT-In empanelment, that portion is delivered with CERT-In empanelled partners, and we say so up front.
