Security Controls
- TLS 1.3 for all transit. AES-256 at rest.
- Multi-tenant isolation via Firestore security rules and per-tenant document paths.
- Role-based access control (5 roles) and subscription-tier entitlement on every API.
- Two-factor authentication (TOTP) available for all admin accounts.
- Session management with device tracking and remote revocation.
- Immutable audit log of every state-changing action.
- Rate limiting on public APIs (token-bucket per IP).
- HMAC signing on outbound webhooks and inbound aggregator webhooks.
- Secrets stored in Firebase Functions config / GCP Secret Manager.
Privacy Commitments
- Right of access — programmatic data export at /api/compliance/data-export
- Right of erasure — anonymization of statutory records, hard delete of personal identifiers
- Data residency in India (asia-south1) for Indian tenants by default
- Sub-processor list maintained and updated quarterly
- Data Processing Addendum available on request
Operational Controls
- Automated backups with point-in-time recovery (Firebase managed)
- Disaster recovery target: RPO 1h, RTO 4h
- Monthly access reviews; quarterly key rotation
- Annual penetration testing (third-party)
- Incident response runbook with 1h initial-acknowledgement SLA for P0
- Vulnerability disclosure program: security@ekatantra.com
Documents available on request
- SOC 2 Type I report (interim)
- Penetration test summary (last 12 months)
- Sub-processor list
- Data Processing Agreement (DPA)
- Business Continuity Plan
security@ekatantra.com · Issues disclosure honoured within 90 days.