Security

Trust posture for the people who buy on it.

We build for hiring teams at GCCs, BFSI majors, and IT services giants. Their security review is non-negotiable. Below: the controls in place, the certifications in motion, and the sub-processors that handle your data.

Compliance

Where we stand. No vague claims.

Below: status on the four certifications enterprise buyers ask about. We don't claim what we haven't earned.

DPDPA (India)

Ready

Data Protection rules followed by design

GDPR (EU)

Ready

Data subject rights honored; EU sub-processors flagged

SOC 2 Type II

In progress

Audit window: H2 FY2026

ISO 27001

Roadmap

Targeted FY2027 alongside Series A

Controls

The architecture behind the SLAs.

Authentication

OAuth2 (admin via NextAuth), HMAC-SHA256 API keys (machine), JWT (sessions). Per-customer signed keys; rotation tooling exposed in console.

Transport

TLS 1.3 everywhere. HSTS preload. Modern cipher suites only.

Data at rest

PostgreSQL with at-rest encryption. Customer-isolated schemas for Stack-Vault. R2 object storage for exports + watermarked artifacts.

Audit logging

Pino structured logs, 90-day retention. Every API key call audit-logged with immutable trail.

Anti-leak

Continuous crawl + semantic similarity match. Quarterly rotation cadence (continuous tier available). Leak alerts via webhook.

Watermarking

Cryptographic per-customer marker injected into Stack-Vault test cases and problem statements. Forensic attribution if a leak crosses contractual boundary.

Engineering hygiene

Zero-TS-error CI gate. Test coverage ≥80% on changed files. RFC 7807 errors. gitleaks pre-commit + CI. CSP/HSTS/X-Frame on every response.

Reproducibility

Every shipped question has a SME-validation record, IRT calibration timestamp, and rotation history. Audit any decision back to source.

Data flow

What enters, where it lives, what leaves.

Customer (browser / SDK)
  ↓ TLS 1.3 + signed API key
Nginx → Express API gateway
  ↓ rate-limit + auth + audit-log
Service layer
  ├── ReadyBank service     ──┐
  ├── JD-Forge service       │
  └── Stack-Vault service    ├── Content engine ─→ Anthropic / OpenAI
                              │                    (system prompt-only;
                              │                     no PII forwarded)
                              ↓
PostgreSQL 16  (per-customer schema for Stack-Vault)
Redis 7        (cache, rate limit, queue)
Cloudflare R2  (export artifacts, watermarked PDFs)

Egress: Resend (email), Razorpay/Stripe (billing),
        Plausible (analytics, no PII).

Sub-processors

Who else touches your data.

Provider	Purpose	Region
Anthropic	AI generation (primary)	US
OpenAI	AI generation (fallback)	US
Cloudflare R2	Object storage for exports	Global edge
Resend	Transactional email	US/EU
Razorpay	Payments (India)	India
Stripe	Payments (international)	US
Hostinger KVM	Application hosting	Asia

We notify customers in writing 30 days before adding a new sub-processor handling personal data.

Need our DPA or security review pack?

We share full architecture diagrams, sub-processor list, and pen-test summaries under NDA on request.

Request the pack Read the DPA