How we keep your data
honestly safe

Today, all customer data — VMs, block volumes, S3-compatible objects, Postgres backups — sits on bare-metal hardware in Hetzner's Helsinki, Finland data center (Hetzner DC HEL1), which is ISO 27001 and GDPR-compliant.

A Mumbai region (OVH ADVANCE-1 in BOM1 datacenter) is on the public Q3 2026 roadmap for customers who require Indian data residency. Enterprise customers can opt into dedicated Mumbai hardware on day 1 — see contact.

In transit:TLS 1.3 minimum on every customer-facing endpoint (portal, API, S3, mail). Certificates issued by Let's Encrypt, auto-renewed by certbot, monitored by Prometheus.

At rest: Postgres ships with LUKS-encrypted host disks; backups are PGP-encrypted before leaving the host. Customer VM disks are stored on encrypted Hetzner NVMe (LUKS). Customer-managed key encryption (KMS) is in the Q3 2026 roadmap — the root-key handling design uses AES-256-GCM envelope encryption with the root key escrowed offline (printed + safe).

Every state-changing HTTP request across the auth, compute, and storage services is logged to an immutable audit_logstable — actor user_id, account_id, service, method, path, status, IP, user-agent, request-ID, duration. GET/HEAD/OPTIONS, /healthz, and /metrics are skipped by design.

Retention: 1 year minimum. Visible to your account owner at /portal/audit-logs with filter-by-service and free-text path/IP/UA search. Required for DPDP Act Section 6 obligations and SOC 2 readiness.

Postgres: Nightly logical dumps viapg_dump --format=custom at 02:30 IST. Pushed to MinIO (local) and replicated to an offsite S3-compatible store (Hetzner Storage Box or Backblaze B2, configurable per deployment). Retention: 14 days.

Customer VMs: Live Proxmox snapshots nightly via cron, retention 7 days. Snapshots are taken with --vmstate 0 for filesystem consistency without requiring quiesce.

Restore drill: A weekly automated job restores the latest Postgres dump into a fresh container and runs a schema-integrity check. Failure pages on-call. (RTO observed: ~12 min for full Postgres restore.)

Status: Backup runs publish a textfile metric consumed by Prometheus; alerting fires if no successful backup in the last 26h.

Customer-facing: Sub-users under your account (IAM users), grouped into IAM groups, governed by attached IAM policies. Five managed policies seeded by default (CloudNxFullAccess, CloudNxReadOnlyAccess,CloudNxComputeFullAccess, CloudNxStorageFullAccess,CloudNxBillingReadOnly) plus custom policies you define.

Programmatic: Access key + secret key pairs, signed via AWS sigv4-compatible request signing. Secret keys are encrypted at rest with a service-level AES-256-GCM key separate from the root KMS key.

Owner accounts: Password (bcrypt, cost 12) + TOTP 2FA. TOTP secret is itself AES-256-GCM encrypted in the DB. OAuth via GitHub and Google supported as alternative sign-in.

Active today

• GDPR (EU 2016/679) — data residency in Helsinki (ISO 27001 datacenter), data processing addendum available on request, data-subject access (DSAR) handled via [email protected] within 30 days, right-to-erasure honoured at the account level.
• India DPDP Act, 2023 — audit logging, data-subject access via portal export, DPO contact published, breach-notification workflow established per Section 8.
• CCPA / CPRA (California)— "Do Not Sell" is N/A (we don't sell user data, ever), DSAR honoured per [email protected] within the statutory window for California residents.
• GST tax invoice flow (India) — IRN-issued e-invoices for every top-up, CGST/SGST/IGST split per buyer state.

Not yet certified — being transparent

• SOC 2 Type II — engineering preconditions (audit logs, KMS, MFA, RBAC, change management) ship across 2026. The formal audit is planned for FY27.
• ISO 27001— same window; we'll start the pre-audit gap analysis after SOC 2.
• PCI-DSS— we don't store card data; Razorpay holds PCI scope. Out-of-scope for us by design.

If your procurement requires "SOC 2 Type II today", we'll tell you that on the first call rather than waste your time. We'll happily share our SOC 2 readiness checklist and interim control evidence under NDA.

• Patches: Unattended OS security updates on the host (no auto-reboots). Weekly Sunday maintenance window (22:00–24:00 IST) for kernel reboots, container deploys, and schema migrations — pre-announced on the status page.
• Renovate bot: Weekend-grouped dependency updates, auto-merge on patch with green CI; majors are manually reviewed.
• Container rollback: Every deploy tags the previous image as :rollback; a single command reverts to the last-known-good in ~5s with health-check guard.
• Incident response:Public post-mortems within 48h for any customer-visible incident. Status page operated by a separate GitHub-hosted Upptime fork so it stays up when we don't.

We don't (yet) run a public bug-bounty program — we're small. But we read every report and we credit researchers in release notes when they accept.

Send disclosure to [email protected]. PGP key fingerprint coming soon — until then, please tolerate plain-text. Standard 90-day coordinated-disclosure window unless we negotiate otherwise.