Skip to main content

Security

How Samarohh protects your data

Our Security Commitment

Security is foundational to Samarohh. We handle sensitive event data, guest information, and payment transactions — and we take that responsibility seriously. Our security practices are built to protect your data at every layer, from network transport to database storage to access control.

This page describes our current security posture. If you believe you have found a security vulnerability, please see the Vulnerability Disclosure section below.

Data in Transit

  • All communication between your browser and Samarohh is encrypted using TLS 1.2 or higher
  • HTTP connections are automatically redirected to HTTPS
  • API endpoints enforce HTTPS — unencrypted requests are rejected
  • WebSocket connections (for real-time features) use WSS (TLS-encrypted)

Data at Rest

  • Database contents are encrypted at rest using AES-256
  • Backups are encrypted before storage
  • Passwords are hashed using bcrypt — we never store plaintext passwords
  • Sensitive configuration values (API keys, secrets) are stored in environment variables, never in code

Payment Security

All payments on Samarohh are processed by Razorpay, a PCI DSS Level 1 certified payment processor — the highest level of payment security certification available.

  • Samarohh never stores raw card numbers, CVV codes, or full payment details
  • Payment data flows directly between your browser and Razorpay's secure servers
  • All payment webhooks are verified using cryptographic signatures before processing
  • Transactions use tokenized payment identifiers for subsequent operations

Access Control

  • Role-based access control (RBAC): Users only access data and features appropriate to their role (Admin, Organizer, Sub-user)
  • JWT session tokens: Short-lived access tokens (5 minutes) with 7-day refresh tokens, rotated on each refresh
  • Multi-factor authentication: Available for all accounts
  • Session management: You can view and revoke all active sessions from account settings
  • Account lockout: Repeated failed login attempts trigger temporary lockout
  • Admin impersonation audit: All admin actions on user accounts are logged in a tamper-evident audit trail

Infrastructure Security

  • Hosted on enterprise-grade cloud infrastructure with physical security controls
  • Network-level firewalls restrict access to databases and internal services
  • Intrusion detection systems monitor for anomalous traffic patterns
  • Automated vulnerability scanning runs on all dependencies
  • Regular encrypted database backups with tested restore procedures
  • Audit logging captures all privileged operations with actor, timestamp, and change details

Incident Response

In the event of a security incident or data breach, we follow an established incident response plan:

  • Immediate containment and scope assessment
  • Notification to affected users within 72 hours when legally required
  • Reporting to relevant data protection authorities as mandated by applicable law
  • Root cause analysis and remediation
  • Post-incident review and security improvements

Vulnerability Disclosure

We welcome reports from the security community. If you discover a potential vulnerability in Samarohh, please:

  1. Email us at support@samarohh.com with subject Security Disclosure
  2. Include a description of the vulnerability, steps to reproduce, and potential impact
  3. Do not publicly disclose the vulnerability before we have had a chance to investigate and release a fix
  4. Do not access or modify user data beyond what is necessary to demonstrate the vulnerability

We commit to:

  • Acknowledge your report within 3 business days
  • Investigate all credible reports promptly
  • Keep you informed of our progress
  • Not pursue legal action against good-faith security researchers

Compliance

  • Payment processing via Razorpay is PCI DSS compliant
  • Data handling practices align with GDPR principles for EU users
  • Data retention and deletion procedures follow applicable Indian data protection regulations
  • Periodic third-party security assessments are conducted

Contact

For security concerns or questions about our practices:

Security: support@samarohh.com

Subject: Security Disclosure

Samarohh is a product of Avartana Labs LLP. For enterprise security inquiries, contact us at the email above.