Security Policy

DPDPA Shield implements technical and organisational security measures in accordance with DPDPA 2023 S.8(5) and Rules Rule 6. As a platform whose core purpose is to help Indian businesses comply with data protection law, we hold ourselves to a high standard.

We treat security as a product requirement, not an afterthought. Every component of DPDPA Shield is designed with the assumption that customer data is sensitive and that breaches must be detected, contained, and reported.

• Frontend hosting (Vercel): Global CDN, automatic HTTPS, DDoS protection, environment variable isolation.
• API hosting (Render): Isolated compute environment, automatic TLS, Singapore region for low-latency access to Indian users.
• Database (Supabase / PostgreSQL): Encrypted at rest, connection pooling via PgBouncer, restricted network access, daily automated backups.
• File storage (Cloudflare R2): Encrypted at rest, private bucket (no public access), signed URL access only, write-once proof vault for consent receipts.
• Cache (Upstash Redis): TLS-encrypted connections, no sensitive PII stored in cache, short TTLs.
• All data in transit: TLS 1.2 or higher required for all connections.

• Authentication: JWT-based with 15-minute access tokens and 7-day refresh tokens with rotation. Tokens stored in localStorage (not cookies) to prevent CSRF.
• Authorisation: Role-based access control (Admin, DPO, Viewer, Super Admin) enforced at every API endpoint. Tenant isolation enforced at application level — every query is scoped to the authenticated tenant.
• API security: Rate limiting, CORS restricted to known origins, input validation on all endpoints using Zod schemas, HMAC-SHA256 signature verification for webhooks.
• Password security: Bcrypt with 12 rounds. Passwords are never stored in plaintext or reversibly encrypted.
• OTP security: 6-digit OTPs, 10-minute expiry, maximum 3 attempts, bcrypt-hashed before storage.
• Proof integrity: Consent receipts and closure PDFs are stored with SHA-256 hashes. The proof vault is write-once (no deletion API exposed).

• Principle of least privilege — team members access only data scoped to their tenant and role
• No cross-tenant data access is architecturally possible by design
• Super-admin access restricted to authorised DPDPA Shield personnel only
• Audit logs for all privileged operations are immutable (database-level triggers block UPDATE and DELETE)

In the event of a security incident or personal data breach:

1. Detect: Monitoring alerts triggered by anomalous access patterns, error rates, or security events
2. Triage and contain: Within 2 hours of detection — isolate affected systems, revoke compromised credentials, preserve evidence
3. Notify the Data Protection Board: Within 72 hours of becoming aware per DPDPA S.8(6) and Rules Rule 7
4. Notify affected Customers: Within 24 hours of discovering a breach affecting Customer data per our DPA
5. Notify affected Data Principals: Without undue delay, per DPDPA S.8(6)
6. Post-incident review: Root cause analysis, remediation, and process improvements documented

• Automated dependency monitoring with vulnerability alerts
• Critical CVEs patched within 7 days of public disclosure
• Security review of major architectural changes before deployment
• Annual security review of the full platform

We operate a responsible disclosure programme for security researchers. If you have found a vulnerability, please see our Responsible Disclosure Policy.

Security issues: hello@dpdpashield.in — subject “Security”

We acknowledge security reports within 2 business days.