A
AskBooks
en
Back to home

Security Policy

Effective: 1 April 2026Governing law: IndiaEntity: Askflow Private Limited

This Security Policy summarises the controls AskBooks has in place to protect customer data. For deeper technical detail visit our Trust Center, or request our SOC 2 (planned) report and ISO 27001 certificate.

1. Certifications & attestations

  • ISO 27001 (planned) — Information Security Management.
  • SOC 2 (planned) — Security, Availability, Confidentiality (annual).
  • DPDPA-compliant Data Fiduciary practices — independently assessed.
  • GST-integrated (GST Suvidha Provider).
  • RBI Account Aggregator-ready integrations.

2. Data protection

  • Encryption in transit: TLS 1.3 with HSTS preload, modern cipher suites only.
  • Encryption at rest: AES-256-GCM via AWS KMS-managed keys; per-tenant key envelopes.
  • Backups: encrypted daily snapshots retained for 35 days; quarterly restore tests.
  • Data residency: customer content stored only in India (Mumbai/Hyderabad).

3. Identity & access

  • JWT RS256 short-lived access tokens (15 min) + refresh tokens (30 days).
  • Argon2id password hashing with per-user salt.
  • Mandatory TOTP MFA for super-admin and admin roles.
  • Granular RBAC: super_admin > admin > accountant > manager > employee > viewer.
  • SSO via SAML 2.0 / OIDC for Enterprise customers.
  • Session blacklist in Redis; logout immediately invalidates tokens.

4. Application security

  • Multi-tenant isolation enforced at every database query (tenant_id in JWT and predicate).
  • Zod schema validation on every API endpoint — no unchecked input reaches handlers.
  • Rate limiting per IP and per token; abuse-pattern detection.
  • Output encoding & CSP to prevent XSS; CSRF tokens on state-changing requests.
  • Dependency scanning (Snyk + GitHub Dependabot) on every PR.
  • Static analysis (SonarCloud) with hard-fail on critical findings.

5. Infrastructure

  • AWS India regions; isolated VPCs; private subnets for databases.
  • Cloudflare WAF + DDoS protection; bot management on auth and signup endpoints.
  • Hardened OS images; no SSH on production hosts (Session Manager only).
  • Infrastructure-as-Code (Terraform) — every change reviewed and audited.
  • Patch SLAs: critical 24 h, high 7 d, medium 30 d.

6. Monitoring & response

  • 24×7 SOC; SIEM with anomaly detection and alerting.
  • Documented incident response plan; on-call rotation with 15-min ack SLA.
  • Customer notification within 72 h of confirmed incident, per DPDPA.
  • Quarterly tabletop exercises; annual third-party red team.

7. People & operations

  • Background checks on all employees with production access.
  • Mandatory security training on onboarding and annually.
  • Principle of least privilege; just-in-time access via Teleport with approval workflow.
  • BYOD prohibited for production access; managed devices with FDE only.

8. Vulnerability management

We run a public Responsible Disclosure programme — see policy and rewards. Penetration tests are conducted by CERT-In empanelled vendors twice yearly.

9. Subprocessors

Listed in our Data Processing Agreement. Customers receive 30 days’ notice of new subprocessors with right to object.

10. Reporting concerns

For security questions, audit requests, or evidence requests: security@askbooks.in.
To report a vulnerability: responsible disclosure.

Questions? Email legal@askbooks.in or write to Askflow Private Limited, Bengaluru, Karnataka 560034.