Security

Security Practices

Last updated: May 18, 2026 · Defence-in-depth approach

Section 01

Our Security Commitment

Security is not an afterthought at InventX — it is foundational to everything we build. We apply defence-in-depth strategies, combining physical, network, application, and data security controls to protect your business data at every layer.

InventX follows the OWASP Top 10 security framework and conducts regular third-party security audits to identify and remediate vulnerabilities proactively.
Section 02

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud providers with the following protections:

  • Network Isolation: All services run in private VPCs with strict security group rules. No direct internet exposure to database or internal services.
  • DDoS Protection: Enterprise-grade DDoS mitigation at the network and application layer with automatic traffic scrubbing.
  • Web Application Firewall (WAF): Managed WAF with OWASP ruleset, rate limiting, and bot protection.
  • Intrusion Detection: Real-time network and host-level intrusion detection with 24/7 alerting to our security team.
  • Geo-redundancy: Applications and databases are replicated across multiple availability zones.
Section 03

Encryption

We encrypt your data at every stage:

  • In Transit: All communications use TLS 1.3 with strong cipher suites. HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age.
  • At Rest: Database and file storage encrypted with AES-256. Encryption keys are managed using a Hardware Security Module (HSM) with automatic rotation.
  • Passwords: Never stored in plaintext. Hashed using bcrypt with 10+ salt rounds, making brute-force attacks computationally infeasible.
  • Sensitive Fields: GST numbers, PAN details, and bank information are encrypted at the field level within the database.
Section 04

Authentication & Access Control

InventX implements multiple layers of access control:

  • JWT Sessions: Secure, short-lived JSON Web Tokens with automatic expiration and rotation.
  • Role-Based Access Control (RBAC): Granular permissions per user per company — OWNER, STAFF, and VIEWER roles with configurable resource permissions.
  • Multi-tenancy Isolation: Every database query is scoped to the authenticated user's company. Cross-company data access is architecturally impossible.
  • Account Lockout: Automatic temporary lockout after 10 failed login attempts to prevent brute-force attacks.
  • Audit Logging: Every data modification is logged with before/after snapshots, user identity, and timestamp for complete accountability.
Section 05

Application Security

Our development practices embed security throughout the SDLC:

  • Input Validation: All user inputs are validated and sanitised on both client and server sides.
  • SQL Injection Prevention: We use Prisma ORM with parameterised queries — raw SQL is never constructed from user input.
  • XSS Protection: React's built-in escaping combined with Content Security Policy (CSP) headers prevent cross-site scripting.
  • CSRF Protection: SameSite cookie attributes and CSRF tokens prevent cross-site request forgery.
  • Dependency Scanning: Automated vulnerability scanning of all npm dependencies on every commit with automatic alerts for known CVEs.
  • Code Reviews: All code changes require review by at least one senior engineer before merging.
Section 06

Vulnerability Management

We proactively identify and remediate security vulnerabilities through:

  • Penetration Testing: Annual third-party penetration tests by certified security professionals.
  • Automated Scanning: Continuous SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) scans in our CI/CD pipeline.
  • Bug Bounty: Responsible disclosure programme — report vulnerabilities to dhruvangg@gmail.com and we will acknowledge within 24 hours.
  • Patch Management: Critical security patches are applied within 24 hours of release. High-severity patches within 72 hours.
Section 07

Personnel & Operational Security

  • Background Checks: All InventX employees with system access undergo background verification.
  • Least Privilege: Employees only have access to the systems and data necessary for their role.
  • MFA Required: Multi-factor authentication is mandatory for all InventX staff on all internal systems.
  • Security Training: Annual security awareness training required for all employees.
  • Production Access Approval: Any production database access requires multi-person approval and is fully logged.
Section 08

Incident Response

In the event of a security incident, InventX follows a documented Incident Response Plan:

  • Detection: Automated monitoring with real-time alerts to the security team 24/7.
  • Containment: Immediate isolation of affected systems within 1 hour of confirmed incident.
  • Notification: Affected customers notified within 72 hours of confirmed breach, as required by applicable data protection laws.
  • Remediation: Root cause analysis, fix deployment, and post-incident review within 30 days.

To report a security incident or suspicious activity, contact dhruvangg@gmail.com immediately.

Found a Security Vulnerability?

We take all reports seriously. Responsible disclosure is always acknowledged and rewarded.

Report a Vulnerability →