Boring on the outside. Serious on the inside.
Your data runs your business. We treat it like a vault: access-scoped, fully logged, and hosted in India.
Passwords & transport
Passwords are hashed with bcrypt and never stored in plain text. Traffic is served over HTTPS, and sessions can be revoked server-side.
Strict tenant isolation
Every query is scoped to your builderId at the middleware layer. Super-admins can cross tenants only with explicit impersonation that lands in your audit log.
Audit-grade trail
Every mutation lands in a time-series audit log. If a primary write blips, the doc is preserved in a dead-letter collection for replay — never silently dropped.
Data residency in India
Your production data is hosted in an Indian region. We do not copy your data out of India.
Controls in place
The full security checklist.
No security-theatre. These are the actual controls our auth, API, and data layers ship with.
Authentication & sessions
bcrypt password hashing (cost 12, configurable) — passwords are never reversible
JWT with 1-day default expiry, server-side tokenVersion for revocation
Account lockout after 5 failed attempts within a 15-minute window
Force-password-reset workflow generates a one-time temp password
Authorization
Role-based access (admin / manager / member) at the tenant level
Super-admin separate from tenant admin; cross-tenant actions are explicit
Per-tenant module gating — disabled modules return 403 with an explicit code
Read-only impersonation by default; rw-impersonation is opt-in and logged
Network & application security
Helmet-managed CSP (default-src none on the JSON API)
CORS allowlist + Origin/Referer guard on write methods
IP-keyed + per-tenant rate limits (plan-aware quotas)
CSV exports rate-limited separately to prevent abuse
Observability
Structured JSON logs (pino) with sensitive-field redaction
Per-request X-Request-Id for correlation across services
Prometheus metrics: HTTP latency, error rates, DB query duration
Slow-query log with configurable threshold
Data lifecycle
Soft-delete on the ledger (reversal links, never hard-deleted)
Append-only audit log retained per India's record-keeping requirements
Export everything to CSV at any time — your data is yours
On account closure, your data is yours to keep; deletion is on request
How a request flows
Every request, end to end.
Encrypted in transit, authenticated, scoped to your tenant, and stored in India — the path every action takes.
Builder
Browser / mobile
HTTPS / TLS
Encrypted transport
API
Auth · rate limits
Tenant scope
Scoped by builderId
Database
Per-tenant records
Backups
Encrypted · in India
Compliance posture
How we handle your data.
You own your data
You remain the owner of your data — we only process it to run the product for you. Export everything to CSV any time; a DPA is available on request.
GST-ready invoicing
Invoices carry a valid GSTIN, and your bills can be configured to print your GSTIN on every document.
Hosted in India
Your production data is hosted in an Indian region, so it stays under Indian jurisdiction.
Live today
DPDP Act 2023 alignment
GST-compliant invoicing
Audit-grade activity trail
Data residency in India
On the roadmap
SOC 2 (Type II)
ISO/IEC 27001
Planned, not yet certified. We'll say so here the day that changes — no badges we haven't earned.
Common questions
Security, answered plainly.
The questions builders ask before they trust us with their numbers.
Your production data is hosted in an Indian region, and we never copy it out of India.
Still have questions? Contact our security team →
Need documentation?
Reviewing us for procurement? Request our security pack — sent to enterprise prospects on request:
Security overview
Architecture summary
DPDP alignment summary
DPA template