Security and encryption

BusinessSetu Pro is built with security as a default. This page lists the protections we have in place and where we are still working.

In transit

• HTTPS / TLS 1.3 on every page and every API call. HTTP requests are redirected to HTTPS at the edge.
• HSTS (HTTP Strict Transport Security) is enabled.
• Cloudflare sits in front of the origin, providing certificate management, anti-bot, and DDoS protection.

At rest

• Passwords: stored as one-way bcrypt hashes. We never see your plain-text password. Password reset uses a single-use, time-limited token.
• Database: access is controlled at the application layer and the database layer. Only authorised production engineers can read production data, and every access is logged.
• Backups: daily, retained for 14 days, stored on the same Indian infrastructure.
• Full disk-level at-rest encryption is on our 2026 roadmap. Until then we rely on the application + database access controls listed above.

Authentication and access

• Strong-password requirement enforced at signup and reset.
• Session cookies are HttpOnly, Secure, and SameSite=Lax.
• CSRF protection on every state-changing request.
• Failed-login throttling per IP and per account.
• Two-factor authentication (TOTP) is on our 2026 roadmap.

Payments and card data

We do not store credit / debit card numbers, CVVs or net-banking credentials on our servers. Card data is collected and handled by Razorpay (PCI-DSS Level 1 certified). We only receive a tokenised reference for each transaction.

Audit log

Every important change inside the app (create, update, delete on customer, invoice, payment, user) is written to an audit log with the actor, timestamp and IP address. You can view your account's audit log from Settings → Activity.

Where data lives

All your business data is hosted on Indian servers, in Indian data centres, with our hosting partner. We do not transfer data outside India.

Breach response

If we ever detect a personal data breach that is likely to cause harm, under DPDP § 8(6) we will notify each affected Data Principal and the Data Protection Board of India in the manner and within the timeframe prescribed by the Act and its rules. Our internal commitment is:

• Detect → contain: as fast as possible, target within 24 hours of confirmation.
• Notify you: within 72 hours of confirmation, with what happened, what data is involved, what we are doing, and what you can do.
• Notify the Data Protection Board: within the time and form prescribed by the Act.
• Post-mortem: root cause analysis published on this page within 30 days.

Third-party security review

We have not yet been audited by an independent third party. An external security review is on the 2026 roadmap.

How to report a vulnerability

If you find a security issue please write to contact@bighelpers.in with the words SECURITY in the subject. We acknowledge within 2 working days and treat reports confidentially. We are happy to credit researchers who help us improve.