Security is not a feature — it is the foundation. Learn how we protect your data, infrastructure, and AI agents.
All data encrypted with AES-256-GCM. Database uses Transparent Data Encryption (TDE). Keys managed via environment variables, never committed to source control.
TLS 1.3 for all API traffic. HSTS with preload. Certificate pinning for SDK communications. No unencrypted HTTP allowed in production.
API keys, JWT secrets, and database credentials stored as Render environment variables. No secrets in Docker images. No secrets in client-side bundles.
Backend services communicate via private Redis channels. Database not exposed to public internet. Webhook endpoints verify signatures (HMAC-SHA256) before processing.
| Standard | Status | Coverage |
|---|---|---|
| SOC 2 Type 1 | In Progress | Planned Q3 2026 |
| ISO 27001 | In Progress | Planned Q4 2026 |
| PCI DSS v4.0.1 | Controls Implemented | 47 controls mapped |
| GDPR | Compliant | Privacy by design, DPA available |
| India DPDP Act | Compliant | Consent management, data localization |
| OWASP Top 10 | Automated Testing | API + LLM variants |
Endpoint metadata (paths, methods, auth types), cost data, scan findings, user profiles. NO request/response bodies stored.
Default: India (Bengaluru). Enterprise: Choose US-East, EU-West, or APAC-Singapore. Self-hosted: Your infrastructure.
Free: 30 days. Pro: 1 year. Enterprise: Custom (up to 7 years). Automated deletion on expiry. Export before deletion.
Report security issues to security@rakshex.in. We follow responsible disclosure with a 90-day fix commitment.
Last external pentest: Scheduled Q3 2026 (pending vendor selection)
Internal red team: Continuous. 87-payload adversarial testing library run weekly against staging.
Bug bounty: Planned launch Q4 2026 on HackerOne.
CI security: Every PR scanned for secrets, vulnerabilities, and dependency CVEs before merge.