Security

Bank-grade security for your business data

Your financial data is sensitive. We treat it that way — and comply with all applicable Indian data protection and security laws.

🔐

Encryption at rest

All data stored in our PostgreSQL database is encrypted using AES-256, meeting the security standards prescribed under Rule 8 of the IT (SPDI) Rules, 2011. OAuth tokens are stored encrypted and never logged in plaintext.

🔒

Encryption in transit

All data between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints with HSTS enabled.

🔑

Password security

Passwords are hashed using bcrypt with a cost factor of 12. We never store or log plaintext passwords at any point in the system.

👁️

Read-only OAuth scopes

When you connect Plaid, QuickBooks, or Stripe, we only request read-only permissions. We can never initiate transactions, move money, or modify your financial accounts.

🛡️

Session security

Sessions use signed JWT tokens with a secure secret. Tokens are invalidated on logout. We support Google OAuth 2.0 as a secure sign-in alternative.

🔍

Minimal data access

We only access the data we need to calculate your health score. Financial data fetched from integrations is processed and stored as aggregated signal values — not raw transaction history. This aligns with the data minimisation principle under the DPDP Act 2023.

🧱

Infrastructure security

The platform runs on Vercel (SOC 2 Type II certified) with a PostgreSQL database on Supabase. Both have comprehensive security programmes, DDoS protection, and 99.9% SLA.

🇮🇳

Indian regulatory compliance

We comply with the IT Act 2000, IT (SPDI) Rules 2011, and the Digital Personal Data Protection Act 2023. Payment processing is handled exclusively through Razorpay, an RBI-regulated payment aggregator.

🔄

Dependency management

We keep all dependencies up to date and run automated security audits. Critical vulnerabilities are patched within 24 hours. We follow CERT-In advisories for disclosure timelines.

Security checklist

HTTPS enforced on all endpoints

HSTS with 1-year max-age

bcrypt password hashing (cost 12)

AES-256 encryption at rest

TLS 1.3 in transit

Read-only OAuth scopes only

JWT session tokens, HttpOnly cookies

No plaintext credential storage

SOC 2 Type II hosting (Vercel + Supabase)

Automated dependency security audits

SQL injection protection via Prisma ORM

CSRF protection via NextAuth

IT (SPDI) Rules 2011 compliant

DPDP Act 2023 compliant

Razorpay (RBI-regulated) payments only

CERT-In advisory monitoring

Responsible disclosure

We take security vulnerabilities seriously. If you discover a security issue in BizPulse AI, please disclose it responsibly by emailing us before making it public. We will acknowledge your report within 24 hours (in line with CERT-In guidelines) and work to resolve the issue promptly.

Report a vulnerability →

Our commitment: We will not pursue legal action against researchers who follow responsible disclosure practices, act in good faith, and do not access or exfiltrate user data beyond what is necessary to demonstrate the vulnerability.

Compliant with IT Act 2000, SPDI Rules 2011, and DPDP Act 2023. Questions? Contact us or email support@bizpulseanalytics.com