Last updated: 01 Jul 2026.
01Encryption
All secrets (payment keys, SMTP passwords, API tokens) are encrypted at rest with AES-256-GCM. Transport is HTTPS-only.
02Payments
Razorpay is PCI-DSS Level 1 certified. Card data never touches our servers. Every webhook is HMAC-signature verified before fulfillment.
03Authentication
Passwords are stored as bcrypt hashes. Sessions are httpOnly, SameSite=Lax, secure-flagged on HTTPS.
04Application controls
- CSRF tokens on every POST.
- Server-side rate limiting on auth, payment, and contact endpoints.
- Audit log of all admin and billing actions.
- Server-side input validation on every form.
05Responsible disclosure
Found a vulnerability? Email itsdevsarun@gmail.com with details. We respond within 48 hours and credit reporters in our Hall of Fame.
Have a question about this policy?
We're a small team — every email reaches a human, usually the founder.