In transit
All traffic to Apna Invoice is encrypted over TLS 1.2+ with HSTS. HTTP is redirected to HTTPS. We use modern cipher suites and disable known-weak primitives.
At rest
Database volumes and backups are encrypted with AES-256. Passwords are hashed with bcrypt. Uploaded files (e.g. business logos) are stored on encrypted object storage.
Data residency
Primary and backup data for Apna Invoice is stored on servers located in India. We do not replicate your business records outside the country.
Access controls
- Production access is limited to a named set of engineers.
- Access requires SSO with hardware-backed MFA.
- All privileged actions are logged and reviewed.
Application security
- CSRF protection on all state-changing requests.
- Content Security Policy and secure cookie flags.
- Parameterised queries and ORM-level protection against SQL injection.
- Dependency scanning on every build; critical vulnerabilities patched within 7 days.
Backups & recovery
Automated daily backups with 30-day retention. Restore drills are performed quarterly. Target RPO: 24h, target RTO: 4h for a region-level incident.
Payments
When paid plans launch, payments will be processed by PCI-DSS Level 1 certified providers. We do not store card numbers on our servers.
Responsible disclosure
If you believe you've found a security issue, please report it to security@datasoft.example. We commit to:
- Acknowledging receipt within 2 business days.
- Keeping you informed as we investigate.
- Not pursuing legal action for good-faith research that follows this policy.
Please do not publicly disclose the issue until we've had a chance to remediate (typically 90 days).
Status & incidents
In the event of a material security incident affecting your data, we will notify affected users within 72 hours, consistent with the DPDP Act.