Infrastructure
- AWS Mumbai (ap-south-1) primary, Singapore (ap-southeast-1) DR.
- VPC isolation, private subnets, NAT gateways.
- WAF + DDoS protection at edge.
- Daily encrypted backups, 35-day retention, point-in-time recovery.
Application
- TLS 1.3 everywhere, HSTS preload.
- CSRF tokens on every form.
- Role-based access control + per-staff permission overrides.
- 2FA email OTP for super admins (and toggleable for managers).
- Rate-limited login with exponential back-off after 5 failures.
- IP allow-listing for sensitive accounts.
Payments
Card data never touches our servers — Razorpay and Stripe handle PCI-DSS Level 1 tokenisation directly. We see only an opaque payment ID.
Compliance
- SOC 2 Type II — certified Q1 2026.
- ISO 27001:2022 — in progress, completion Q3 2026.
- GDPR + DPDP Act compliant.
- GST e-invoice IRN integration for B2B invoices.
Reporting a vulnerability
Email info@ketpy.com. We pay bug bounties up to ₹2,00,000 for critical issues. Please give us 90 days before public disclosure.