Security at SaathiX Billing

• AES-256 encryption at rest · TLS 1.3 in transit
• Hosted on AWS Mumbai (ap-south-1) · data never leaves India
• Role-based access control with least privilege
• Daily encrypted backups, 30-day point-in-time recovery
• Annual VAPT by CERT-In empanelled auditors
• 24×7 monitoring with PagerDuty escalation

All data at rest is encrypted with AES-256 using AWS KMS-managed keys. Database backups, snapshots and object storage are encrypted with separate keys. All API traffic uses TLS 1.3 with modern ciphers; we score A+ on Qualys SSL Labs and enforce HSTS preload.

• Primary region · AWS ap-south-1 (Mumbai), 3 availability zones
• Edge · Cloudflare with India PoPs in 6 cities
• Compute · containerised on managed Kubernetes with auto-scaling
• Database · PostgreSQL 16 with logical replication, daily backups
• Secrets · AWS Secrets Manager, no secrets in code or env files

Role-based permissions for owner, admin, cashier, inventory manager and accountant · enforced at the database row level via PostgreSQL RLS policies. Internal engineer access requires hardware security keys (YubiKey), SSO, and JIT approval that auto-expires. All admin actions are logged immutably.

• Argon2id password hashing with per-user salt
• TOTP-based two-factor authentication for owners and admins
• Google Workspace SSO support
• Anomaly detection · alerts on logins from new device or country
• Session expiry · 12 hours idle, 7 days max

Every state-changing action · price edits, refunds, discount overrides, role changes, exports · is captured in an append-only audit log with user, IP, timestamp and before/after diff. Logs are retained for 12 months and exportable from Settings → Audit Trail.

• SOC 2 Type II · audited annually by a Big-4 firm
• ISO 27001 · certified
• PCI-DSS · we delegate card storage to a Level 1 partner, so we are SAQ-A scope
• DPDP Act 2023 · registered with appointed Data Protection Officer
• CERT-In Annual Information Security Audit · in compliance

24×7 on-call rotation with 15-minute acknowledgement SLA. Incidents are triaged on a 4-tier severity scale; SEV-1 customer-impacting incidents are communicated within 1 hour and a public RCA is published within 5 working days at status.saathix.com.

Found a vulnerability? Email security@saathix.com with reproduction steps. We acknowledge within 48 hours, fix critical issues within 7 days and offer bounties up to ₹1,00,000 under our private bug-bounty programme. Please do not publicly disclose until we confirm a fix.

Every sub-processor we use (payments, communications, analytics) is reviewed annually for SOC 2 / ISO 27001 posture and signs a DPA aligned with the DPDP Act. The current list lives at Privacy → Subprocessors.

• Turn on 2FA for every owner and admin account
• Use unique, complex passwords (we recommend a password manager)
• Give cashiers only the permissions they need
• Review the audit trail weekly
• Keep your devices patched and protected with anti-malware