Security & Trust

The production service runs on Railway for application hosting and background workers, with persistent storage on a managed Supabase Postgres instance plus Supabase Storage for source PDFs. Both are configured to host data in an Indian region; no production customer data is routed outside of India.

We use infrastructure-as-code for all production resources. Every change to production passes through code review, an automated build, and an approval gate.

• In transit — TLS 1.3 only. HSTS enforced. Insecure cipher suites disabled. All inbound and outbound traffic to and from the service is encrypted end-to-end.
• At rest — AES-256 across the Postgres instance, object storage, and backups. Keys are managed by the underlying provider with strict rotation policies.
• Secrets — application secrets, SAP credentials, and integration keys are stored in a hardened vault, injected at runtime, never written to logs, and never committed to source control.

The application enforces role-based access control with four tiers, each with a distinct set of permissions:

• Admin — full configuration, user management, integration setup, and all data access.
• Finance — claim management, RODTEP/Drawback/IGST workflows, financial reports, and SAP push.
• Operations — document upload, field validation, and shipment-level views.
• Viewer — read-only access to dashboards and documents, with no edit or push capability.

Row-level security is enforced at the database layer on every customer-facing table. Even if an application-layer bug attempts to access the wrong tenant's data, the database itself refuses the query.

Every meaningful action — viewing a document, editing a field, pushing to SAP, raising or settling a claim, granting access — is recorded in an immutable audit log with the actor, timestamp, scope, and field-level diff where applicable. Customer administrators can export the audit trail for any period for statutory or internal review.

We take daily encrypted backups of the Postgres database and object storage, retained for 30 days within the same Indian jurisdiction. Backups are tested by point-in-time restore at least quarterly.

Our target Recovery Point Objective is 24 hours and Recovery Time Objective is 4 hours for full restoration of service after a major incident.

The application supports single sign-on via SAML and OIDC for enterprise identity providers, and offers multi-factor authentication (MFA) for all user roles. MFA is mandatory for the Admin role. Sessions are time-bounded; idle timeout and absolute session lifetime are configurable per organisation.

If you believe you have found a security issue, please report it to us at security@virtuaize.com. Please give us a reasonable window to investigate and remediate before public disclosure. We do not pursue legal action against researchers acting in good faith under this policy.