Security Policy

Last updated: January 29, 2026

1. Introduction

At Droot Consulting Private Limited, the security of Atlas and your data is our top priority. This Security Policy outlines the technical and organizational measures we implement to protect your information and ensure the security of our subscription management platform.

We are committed to maintaining the highest standards of security and continuously improving our security practices to protect against evolving threats.

2. Security Overview

Our security program is built on multiple layers of protection:

  • Encryption at rest and in transit
  • Strong authentication and access controls
  • Multi-tenant data isolation
  • Regular security assessments and monitoring
  • Incident response procedures
  • Compliance with industry standards

3. Data Encryption

3.1 Encryption at Rest

Sensitive data stored in our databases is encrypted using AES-256-CBC encryption. This includes:

  • Payment gateway credentials (API keys, merchant keys, salts)
  • Sensitive customer information
  • Authentication tokens

Encryption keys are managed securely and rotated regularly. We use industry-standard encryption algorithms and key management practices.

3.2 Encryption in Transit

All data transmission between your devices and our servers uses HTTPS/TLS 1.2 or higher. This ensures:

  • Data integrity during transmission
  • Protection against interception
  • Authentication of our servers

We use strong cipher suites and maintain up-to-date SSL/TLS certificates.

3.3 Payment Gateway Encryption

Payment data is encrypted by our payment gateway partners (Razorpay and PayU) using their own encryption standards, which comply with PCI DSS requirements. We do not store full payment card numbers.

3.4 API Key Encryption

API keys are stored using SHA-256 cryptographic hashing. Only hashed values are stored in our database, ensuring that even if database access is compromised, API keys cannot be recovered.

4. Authentication and Access Control

4.1 Password Security

User passwords are protected using bcrypt hashing algorithms with appropriate cost factors. We enforce:

  • Minimum password complexity requirements
  • Password strength validation
  • Secure password storage (never stored in plain text)
  • Password reset mechanisms with secure token generation

4.2 Multi-Factor Authentication

We support multi-factor authentication (MFA) for enhanced account security. Users are encouraged to enable MFA for their accounts, especially for administrative access.

4.3 API Key Authentication

API access is secured through:

  • SHA-256 hashed API keys
  • Scope-based permissions
  • Expiration dates and revocation capabilities
  • Usage monitoring and logging

4.4 Role-Based Access Control (RBAC)

We implement role-based access control with the following roles:

  • Support: Basic read access
  • Analyst: Read access + analytics
  • Admin: Full access except tenant settings
  • Owner: Full access including tenant settings

Access is enforced at both the application and database levels.

4.5 Session Management

User sessions are managed securely with:

  • Secure session tokens
  • Session expiration and timeout
  • Concurrent session limits
  • Session invalidation on logout

5. Multi-Tenant Security

5.1 Data Isolation

We ensure complete data isolation between tenants through:

  • Tenant ID filtering on all database queries
  • Application-level access controls
  • Middleware enforcement of tenant boundaries
  • No cross-tenant data access capabilities

5.2 Tenant ID Filtering

All tenant-scoped data includes a tenantId field. Every database query is filtered by tenantId to ensure data isolation. This is enforced at multiple layers:

  • API route handlers
  • Database query builders
  • Middleware functions

5.3 Access Controls

Access to tenant data is controlled through:

  • User-tenant membership verification
  • Role-based permissions
  • API scope restrictions
  • Regular access audits

6. Infrastructure Security

6.1 Server Security

Our servers are secured with:

  • Regular security updates and patches
  • Hardened operating system configurations
  • Minimal attack surface
  • Intrusion detection systems

6.2 Database Security

MongoDB databases are protected through:

  • Authentication and authorization
  • Network isolation and firewalls
  • Encrypted connections
  • Regular backups
  • Access logging and monitoring

6.3 Network Security

Network security measures include:

  • Firewalls and network segmentation
  • DDoS protection
  • Intrusion prevention systems
  • Network monitoring and alerting

6.4 DDoS Protection

We implement DDoS protection measures to ensure service availability. This includes rate limiting, traffic filtering, and coordination with hosting providers.

7. Payment Security

7.1 PCI DSS Compliance Considerations

While we do not store full payment card numbers, we follow PCI DSS best practices:

  • No storage of full card numbers
  • Secure handling of payment data
  • Encrypted transmission to payment gateways
  • Compliance with payment gateway security requirements

7.2 Payment Gateway Security

Payment processing is handled by PCI DSS compliant payment gateways:

  • Razorpay: PCI DSS Level 1 compliant
  • PayU: PCI DSS compliant

Payment gateway credentials are encrypted using AES-256-CBC before storage.

7.3 Payment Data Handling

We minimize payment data handling:

  • Payment data is transmitted directly to payment gateways
  • We do not process or store full payment card details
  • Payment tokens and references are stored securely
  • Payment webhooks are verified and authenticated

8. API Security

8.1 API Key Management

API keys are managed securely:

  • Keys are generated using cryptographically secure random number generators
  • Keys are displayed only once upon creation
  • Keys are stored using SHA-256 hashing
  • Keys can be revoked or expired
  • Key usage is logged and monitored

8.2 Scope-Based Permissions

API keys are assigned specific scopes that limit access to:

  • Customers (read/write)
  • Products (read/write)
  • Subscriptions (read/write)
  • Invoices (read/write)
  • Webhooks (read/write)

8.3 Rate Limiting

API requests are subject to rate limiting to prevent abuse and ensure fair usage. Rate limits are enforced per API key and may vary based on your subscription tier.

8.4 Request Validation

All API requests are validated for:

  • Authentication (valid API key)
  • Authorization (appropriate scopes)
  • Input validation and sanitization
  • Tenant ID verification

9. Monitoring and Logging

9.1 Audit Logs

We maintain comprehensive audit logs of:

  • User authentication and access
  • Data modifications and deletions
  • API usage and requests
  • Administrative actions
  • Security events

Audit logs include timestamps, user identifiers, IP addresses, and action details.

9.2 Security Monitoring

We continuously monitor for:

  • Unauthorized access attempts
  • Suspicious activity patterns
  • System anomalies
  • Performance issues
  • Security vulnerabilities

9.3 Incident Detection

Automated systems and security teams monitor for security incidents. Alerts are configured for:

  • Failed authentication attempts
  • Unusual API usage patterns
  • Data access anomalies
  • System errors and exceptions

10. Vulnerability Management

10.1 Security Updates

We regularly update our systems with:

  • Security patches for operating systems
  • Framework and library updates
  • Dependency vulnerability fixes
  • Application security improvements

10.2 Vulnerability Reporting

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please:

  • Email info@droot.in
  • Provide detailed information about the vulnerability
  • Allow reasonable time for remediation before public disclosure
  • Do not exploit the vulnerability or access unauthorized data

We will acknowledge receipt within 48 hours and work to resolve critical issues promptly.

10.3 Security Assessments

We conduct regular security assessments including:

  • Penetration testing
  • Code security reviews
  • Infrastructure security audits
  • Third-party security assessments

11. Incident Response

11.1 Incident Detection

Security incidents are detected through automated monitoring, security assessments, and user reports. Our security team is trained to identify and respond to various types of incidents.

11.2 Response Procedures

Upon detection of a security incident, we:

  • Immediately assess the scope and impact
  • Contain the incident to prevent further damage
  • Investigate root causes
  • Remediate vulnerabilities
  • Restore affected systems
  • Document lessons learned

11.3 User Notification

In the event of a security incident affecting your data, we will:

  • Notify affected users promptly
  • Provide details about the incident
  • Explain steps taken to address it
  • Recommend actions users should take
  • Provide contact information for questions

11.4 Regulatory Reporting

We comply with applicable data breach notification requirements under Indian IT Act and other applicable regulations. We will report incidents to relevant authorities as required by law.

12. Compliance

12.1 Indian IT Act Compliance

We comply with the Indian Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including:

  • Implementation of reasonable security practices
  • Data protection measures
  • Grievance redressal mechanisms
  • Privacy policy requirements

12.2 Data Protection Regulations

We comply with applicable data protection regulations including GDPR (for EU users) and Indian data protection laws. Our practices align with principles of:

  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Data accuracy
  • Security and confidentiality

12.3 Industry Standards

We follow industry best practices and standards including:

  • OWASP security guidelines
  • NIST cybersecurity framework
  • ISO 27001 principles
  • PCI DSS considerations

13. Security Best Practices for Users

13.1 Password Guidelines

To maintain account security, users should:

  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Never share passwords
  • Change passwords regularly
  • Use password managers

13.2 API Key Security

When using API keys:

  • Store keys securely (never in code repositories)
  • Use minimal required scopes
  • Rotate keys regularly
  • Revoke unused or compromised keys immediately
  • Monitor API usage for anomalies

13.3 Account Security

Additional security measures:

  • Review account activity regularly
  • Monitor for suspicious activity
  • Keep contact information updated
  • Report security concerns immediately

14. Third-Party Security

14.1 Vendor Security Assessments

We assess the security practices of third-party vendors and service providers before integration. We require:

  • Security certifications where applicable
  • Compliance with industry standards
  • Data protection agreements
  • Regular security updates

14.2 Service Provider Security

Our key service providers include:

  • MongoDB: Database hosting with security controls
  • Resend: Email delivery with security measures
  • Razorpay/PayU: PCI DSS compliant payment processing

We maintain contracts with service providers that include security and data protection requirements.

15. Data Backup and Recovery

15.1 Backup Procedures

We maintain regular backups of:

  • Database content
  • Configuration data
  • Application code

Backups are:

  • Performed regularly (at least daily)
  • Stored in secure, geographically separate locations
  • Encrypted
  • Tested regularly for integrity

15.2 Recovery Procedures

We maintain documented recovery procedures and regularly test our ability to restore from backups. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and monitored.

15.3 Business Continuity

We maintain business continuity plans to ensure service availability in the event of disruptions. This includes disaster recovery procedures and redundant systems where applicable.

16. Security Certifications and Audits

We regularly conduct security audits and assessments. While we may pursue formal security certifications in the future, we currently maintain security practices aligned with industry standards including ISO 27001 principles and NIST cybersecurity framework.

We are committed to continuous improvement of our security posture and may undergo third-party security audits and certifications as we scale.

17. Contact Security Team

For security-related inquiries, vulnerability reports, or security incidents, please contact:

Security Team
Droot Consulting Private Limited
Email: info@droot.in
Response Time: Within 48 hours for security inquiries

For general inquiries, please use: info@droot.in

18. Updates to Security Policy

We may update this Security Policy from time to time to reflect changes in our security practices, technology, or legal requirements. Material changes will be:

  • Posted on this page
  • Dated with the "Last updated" notice
  • Communicated to users when significant

We encourage you to review this policy periodically to stay informed about how we protect your information.

Privacy PolicyTerms & ConditionsSecurity PolicyHome