Trust · Security

Security architecture, in one page.

Data residency: Supabase project in ap-south-1 (Mumbai). All Postgres tables and Storage buckets reside in India. We do not replicate to any region outside India by default. Face-match (Concierge) is the only feature that involves a cross-border API call (Google Vision); you opt in to it explicitly during onboarding, and we run it on a hashed embedding rather than the source image.
Encryption at rest: Postgres TDE provided by Supabase. Storage buckets encrypted at rest with AES-256. Application-level encryption per user using a derived key (HKDF over a master root key held in our Mumbai HSM, plus per-user salt). Plaintext PII in the database is unavailable to anyone (including us) without the per-user key.
Encryption in transit: TLS 1.3 only. HSTS preload submitted. All API calls inside the platform run on mutual TLS where supported. Outbound calls to breach APIs and SERP providers use connection pinning.
Key management: Root keys in AWS KMS (Mumbai), per-user derived keys never written to disk in plaintext. Quarterly key rotation. Emergency rotation runbook tested twice a year.
Access control: Two-person rule for any production data access. SSO + WebAuthn for engineer access. Per-user encryption means even an engineer with database access cannot read plaintext PII without the user-specific key, which requires the user to be authenticated. The only role with broad read access is the Grievance Officer, exercised on rare occasions in response to a Data Principal's own access request.
Audit logs: Every read of every user record is logged with engineer ID, timestamp, query fingerprint, and reason code. Logs are append-only, shipped to a separate S3 bucket under a different IAM role, and reviewed weekly. Users can request the full audit log of reads on their own data; we send it within seven days.
Backups: Daily snapshots, retained for thirty days. Weekly full backups, retained for ninety days. Backups encrypted with separate keys. Quarterly restore drills.
Penetration testing: Annual third-party penetration test by a CERT-In empanelled assessor. The most recent report is on file with the Grievance Officer and shared with enterprise customers on request under NDA.
Vendor security: Every subprocessor is documented at /trust/subprocessors. We require SOC 2 Type II or equivalent for any subprocessor that touches PII. Reviews are renewed annually.
Incident response: Detection-to-notification SLA: seventy-two hours, per Rule 7 of the DPDP Rules. Our actual target is twenty-four hours. We have an on-call rotation, a published incident playbook, and a relationship with CERT-In for coordinated reporting.