Section 01
Our Security Commitment
Security is not an afterthought at InventX — it is foundational to everything we build. We apply defence-in-depth strategies, combining physical, network, application, and data security controls to protect your business data at every layer.
InventX follows the OWASP Top 10 security framework and conducts regular third-party security audits to identify and remediate vulnerabilities proactively.
Section 02
Infrastructure Security
Our infrastructure is built on enterprise-grade cloud providers with the following protections:
- Network Isolation: All services run in private VPCs with strict security group rules. No direct internet exposure to database or internal services.
- DDoS Protection: Enterprise-grade DDoS mitigation at the network and application layer with automatic traffic scrubbing.
- Web Application Firewall (WAF): Managed WAF with OWASP ruleset, rate limiting, and bot protection.
- Intrusion Detection: Real-time network and host-level intrusion detection with 24/7 alerting to our security team.
- Geo-redundancy: Applications and databases are replicated across multiple availability zones.
Section 03
Encryption
We encrypt your data at every stage:
- In Transit: All communications use TLS 1.3 with strong cipher suites. HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age.
- At Rest: Database and file storage encrypted with AES-256. Encryption keys are managed using a Hardware Security Module (HSM) with automatic rotation.
- Passwords: Never stored in plaintext. Hashed using bcrypt with 10+ salt rounds, making brute-force attacks computationally infeasible.
- Sensitive Fields: GST numbers, PAN details, and bank information are encrypted at the field level within the database.
Section 04
Authentication & Access Control
InventX implements multiple layers of access control:
- JWT Sessions: Secure, short-lived JSON Web Tokens with automatic expiration and rotation.
- Role-Based Access Control (RBAC): Granular permissions per user per company — OWNER, STAFF, and VIEWER roles with configurable resource permissions.
- Multi-tenancy Isolation: Every database query is scoped to the authenticated user's company. Cross-company data access is architecturally impossible.
- Account Lockout: Automatic temporary lockout after 10 failed login attempts to prevent brute-force attacks.
- Audit Logging: Every data modification is logged with before/after snapshots, user identity, and timestamp for complete accountability.
Section 05
Application Security
Our development practices embed security throughout the SDLC:
- Input Validation: All user inputs are validated and sanitised on both client and server sides.
- SQL Injection Prevention: We use Prisma ORM with parameterised queries — raw SQL is never constructed from user input.
- XSS Protection: React's built-in escaping combined with Content Security Policy (CSP) headers prevent cross-site scripting.
- CSRF Protection: SameSite cookie attributes and CSRF tokens prevent cross-site request forgery.
- Dependency Scanning: Automated vulnerability scanning of all npm dependencies on every commit with automatic alerts for known CVEs.
- Code Reviews: All code changes require review by at least one senior engineer before merging.
Section 06
Vulnerability Management
We proactively identify and remediate security vulnerabilities through:
- Penetration Testing: Annual third-party penetration tests by certified security professionals.
- Automated Scanning: Continuous SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) scans in our CI/CD pipeline.
- Bug Bounty: Responsible disclosure programme — report vulnerabilities to dhruvangg@gmail.com and we will acknowledge within 24 hours.
- Patch Management: Critical security patches are applied within 24 hours of release. High-severity patches within 72 hours.
Section 07
Personnel & Operational Security
- Background Checks: All InventX employees with system access undergo background verification.
- Least Privilege: Employees only have access to the systems and data necessary for their role.
- MFA Required: Multi-factor authentication is mandatory for all InventX staff on all internal systems.
- Security Training: Annual security awareness training required for all employees.
- Production Access Approval: Any production database access requires multi-person approval and is fully logged.
Section 08
Incident Response
In the event of a security incident, InventX follows a documented Incident Response Plan:
- Detection: Automated monitoring with real-time alerts to the security team 24/7.
- Containment: Immediate isolation of affected systems within 1 hour of confirmed incident.
- Notification: Affected customers notified within 72 hours of confirmed breach, as required by applicable data protection laws.
- Remediation: Root cause analysis, fix deployment, and post-incident review within 30 days.
To report a security incident or suspicious activity, contact dhruvangg@gmail.com immediately.