Security & Compliance

Boring on the outside. Serious on the inside.

Your data runs your business. We treat it like a vault: access-scoped, fully logged, and hosted in India.

Posture last reviewed

Passwords & transport

Passwords are hashed with bcrypt and never stored in plain text. Traffic is served over HTTPS, and sessions can be revoked server-side.

Strict tenant isolation

Every query is scoped to your builderId at the middleware layer. Super-admins can cross tenants only with explicit impersonation that lands in your audit log.

Audit-grade trail

Every mutation lands in a time-series audit log. If a primary write blips, the doc is preserved in a dead-letter collection for replay — never silently dropped.

Data residency in India

Your production data is hosted in an Indian region. We do not copy your data out of India.

Controls in place

The full security checklist.

No security-theatre. These are the actual controls our auth, API, and data layers ship with.

Authentication & sessions

bcrypt password hashing (cost 12, configurable) — passwords are never reversible

JWT with 1-day default expiry, server-side tokenVersion for revocation

Account lockout after 5 failed attempts within a 15-minute window

Force-password-reset workflow generates a one-time temp password

Authorization

Role-based access (admin / manager / member) at the tenant level

Super-admin separate from tenant admin; cross-tenant actions are explicit

Per-tenant module gating — disabled modules return 403 with an explicit code

Read-only impersonation by default; rw-impersonation is opt-in and logged

Network & application security

Helmet-managed CSP (default-src none on the JSON API)

CORS allowlist + Origin/Referer guard on write methods

IP-keyed + per-tenant rate limits (plan-aware quotas)

CSV exports rate-limited separately to prevent abuse

Observability

Structured JSON logs (pino) with sensitive-field redaction

Per-request X-Request-Id for correlation across services

Prometheus metrics: HTTP latency, error rates, DB query duration

Slow-query log with configurable threshold

Data lifecycle

Soft-delete on the ledger (reversal links, never hard-deleted)

Append-only audit log retained per India's record-keeping requirements

Export everything to CSV at any time — your data is yours

On account closure, your data is yours to keep; deletion is on request

How a request flows

Every request, end to end.

Encrypted in transit, authenticated, scoped to your tenant, and stored in India — the path every action takes.

Builder

Browser / mobile

HTTPS / TLS

Encrypted transport

API

Auth · rate limits

Tenant scope

Scoped by builderId

Database

Per-tenant records

Backups

Encrypted · in India

Compliance posture

How we handle your data.

You own your data

You remain the owner of your data — we only process it to run the product for you. Export everything to CSV any time; a DPA is available on request.

GST-ready invoicing

Invoices carry a valid GSTIN, and your bills can be configured to print your GSTIN on every document.

Hosted in India

Your production data is hosted in an Indian region, so it stays under Indian jurisdiction.

Live today

DPDP Act 2023 alignment

GST-compliant invoicing

Audit-grade activity trail

Data residency in India

On the roadmap

SOC 2 (Type II)

ISO/IEC 27001

Planned, not yet certified. We'll say so here the day that changes — no badges we haven't earned.

Common questions

Security, answered plainly.

The questions builders ask before they trust us with their numbers.

Your production data is hosted in an Indian region, and we never copy it out of India.

Still have questions? Contact our security team →

Need documentation?

Reviewing us for procurement? Request our security pack — sent to enterprise prospects on request:

Security overview

Architecture summary

DPDP alignment summary

DPA template

Request the security pack