Trust & security

Draft for stakeholders — align with legal counsel and your DPDP obligations before launch.

Data minimization

We store what is needed to run accounts, billing, support, and abuse prevention. OCR images should use short retention windows; document bodies stay under your control with export and delete.

Transport & storage

HTTPS in production; database encryption at rest via your host; secrets only in environment variables — never in the repository.

Sessions

Web sessions use Laravel’s database driver with secure cookies; admins should enforce MFA when the admin panel ships.

Contact

Security reports: use the contact form with subject “Security”.