Security at Kasratbook.

Kasratbook runs on Amazon Web Services, in the ap-south-1 (Mumbai) region for our India customers and us-east-1 (N. Virginia) for everyone else. Your data stays in the region closest to you unless you explicitly ask us to move it.

Our infrastructure is fully managed through Terraform — every change is code-reviewed and logged. We use AWS WAF in front of the application, VPC isolation between tiers, and private subnets for the database layer.

All data in transit is encrypted with TLS 1.3. We enforce HSTS and publish a strict Content Security Policy. Grade A+ on SSL Labs, continuously.

All data at rest is encrypted with AES-256 via AWS KMS. Database backups, object storage, and logs all use separate KMS keys with strict IAM policies.

Passwords are hashed with Argon2id using parameters that meet OWASP 2024 recommendations. We check new passwords against the HaveIBeenPwned database and reject any that appear in known breaches.

Two-factor authentication is available to every account, free, via authenticator app (TOTP) or WhatsApp. For Enterprise customers, we support SSO through Google Workspace, Okta, and any SAML 2.0 identity provider.

Every employee access to production systems goes through a short-lived, SSO-gated bastion. No one has standing access to customer data. Support-team members need explicit permission from you (through an in-app approval flow) before they can impersonate your account to help debug an issue. Every access event is logged and visible to you.

The database is backed up continuously with point-in-time recovery to any moment in the last 35 days. Daily snapshots are retained for 90 days and replicated to a second region.

We test recovery quarterly by restoring from backup into a staging environment and running the full test suite against it. Our target RPO is 5 minutes and our target RTO is 1 hour.

Kasratbook is compliant with India's Digital Personal Data Protection Act (DPDP Act, 2023) and the EU's General Data Protection Regulation (GDPR). We are SOC 2 Type II audited (report available under NDA for Enterprise customers).

For customers processing payments, our billing stack is PCI-DSS Level 1 via Razorpay — we never see or store full card numbers. For customers taking European members, we support data-residency in the EU.

Every deployment goes through automated static analysis (Semgrep, Snyk) and dependency scanning. We patch critical vulnerabilities within 24 hours and non-critical ones within 14 days.

We run an annual external penetration test with a CREST-certified firm and make the executive summary available to Enterprise customers on request.

If you've found a security issue, please report it to [email protected]. We acknowledge within 24 hours and will keep you updated as we investigate. We don't currently run a public bounty program but we do recognize and reward researchers who report valid issues in good faith.

We ask that you don't publicly disclose issues until we've had a reasonable chance to fix them — typically 90 days from initial report.

If a security incident affects your data, we'll notify you within 72 hours of becoming aware, with everything we know at that point. Our incident-response playbook is rehearsed quarterly. Post-mortems for significant incidents are published on our status page.