Bharat's data, on Bharat's substrate, under Bharat's law.
Plain-English summary of how we keep your data and your callers' data safe. For a deeper read, see the security whitepaper PDF below.
Data residency
All data stored in AWS ap-south-1 (Mumbai). Aurora reader + writer endpoints in same VPC. No cross-region writes. CloudFront POPs in India serve free-tier traffic.
Encryption
TLS 1.3 in transit. AES-256 at rest (Aurora, S3, DDB). KMS-managed keys with annual rotation. Secrets in AWS Secrets Manager; no env-var secrets in any image.
Identity
login-service (RS256 JWTs, 1h TTL, JWKS-published). API keys hashed with bcrypt. RFC 7591 dynamic client registration for agents. OAuth 2.1 client_credentials.
Network
VPC-only ALBs for internal traffic. WAF in front of every public endpoint. SizeConstraint + IP rate-limit + Bot Control + UA blocklist. Geo allowlist for anonymous traffic.
Observability
CloudWatch Logs Insights for every service. Per-tenant audit log in iot-admin. Anti-key-sharing entropy detector running hourly. Alarm SNS to platform-oncall.
Compliance
GDPR + DPDP-aligned data export and deletion in iot-admin Console. SOC 2 Type 1 in flight (Q3-2026). Annual third-party penetration test.
Reporting a vulnerability
Email security@gridrock.ai with a clear reproducer. We acknowledge within 24 hours and patch within 7 days for high-severity findings. We participate in coordinated disclosure with a 90-day window.