AskBooks

Security & Trust

Last updated: April 2026

Security is foundational to AskBooks. This page describes the technical and organisational measures we use to protect your data.

Encryption

  • In transit: TLS 1.3 with strict HSTS preload across all domains.
  • At rest: AES-256-GCM for application data; KMS-managed keys for backups.
  • Secrets: stored in AWS Secrets Manager, never in source control.

Authentication & Access

  • Passwords hashed with Argon2id (memory-hard, side-channel resistant).
  • JSON Web Tokens signed with RS256; rotating signing keys.
  • Optional time-based one-time-password (TOTP) multi-factor authentication.
  • Granular role-based access control (super-admin, admin, accountant, manager, employee, viewer).

Audit Logging

Every privileged action is recorded with a tamper-evident hash chain — each log entry is linked to the prior entry's hash, making silent modification detectable. Logs are replicated to write-once storage.

Database

  • PostgreSQL 16 with Row-Level Security (RLS) enforcing tenant isolation at the storage layer.
  • Automated daily snapshots; encrypted off-site backups retained for 35 days.
  • Point-in-time recovery within the retention window.

Hosting & Infrastructure

  • Primary region: AWS Mumbai (ap-south-1) for data residency in India.
  • Multi-AZ deployment with target 99.95% uptime SLA.
  • Web Application Firewall and DDoS mitigation via Cloudflare.

Application Security

  • Strict Content-Security-Policy and security headers via Helmet.
  • Input validation with Zod schemas on every endpoint.
  • Rate limiting and bot mitigation on auth and high-risk endpoints.
  • Dependency scanning (Dependabot) and SAST (CodeQL) on every pull request.

Penetration Testing

We conduct an independent annual third-party penetration test with remediation tracked to closure. Executive summary reports are available to enterprise customers under NDA.

Compliance Roadmap

  • DPDPA, 2023 — operational compliance.
  • SOC 2 Type II — target Q3 2026.
  • ISO/IEC 27001 — under evaluation for 2027.

Vulnerability Disclosure

Found a security issue? We appreciate responsible disclosure. Please email security@askbooks.in. A PGP key is available on request. Please do not access data that does not belong to you, and allow us a reasonable window to remediate before public disclosure.

Bug Bounty

We run a private bug-bounty programme for high-impact findings. Email security@askbooks.in with your prior research for an invitation.