Security
How Samarohh protects your data
Our Security Commitment
Security is foundational to Samarohh. We handle sensitive event data, guest information, and payment transactions — and we take that responsibility seriously. Our security practices are built to protect your data at every layer, from network transport to database storage to access control.
This page describes our current security posture. If you believe you have found a security vulnerability, please see the Vulnerability Disclosure section below.
Data in Transit
- All communication between your browser and Samarohh is encrypted using TLS 1.2 or higher
- HTTP connections are automatically redirected to HTTPS
- API endpoints enforce HTTPS — unencrypted requests are rejected
- WebSocket connections (for real-time features) use WSS (TLS-encrypted)
Data at Rest
- Database contents are encrypted at rest using AES-256
- Backups are encrypted before storage
- Passwords are hashed using bcrypt — we never store plaintext passwords
- Sensitive configuration values (API keys, secrets) are stored in environment variables, never in code
Payment Security
All payments on Samarohh are processed by Razorpay, a PCI DSS Level 1 certified payment processor — the highest level of payment security certification available.
- Samarohh never stores raw card numbers, CVV codes, or full payment details
- Payment data flows directly between your browser and Razorpay's secure servers
- All payment webhooks are verified using cryptographic signatures before processing
- Transactions use tokenized payment identifiers for subsequent operations
Access Control
- Role-based access control (RBAC): Users only access data and features appropriate to their role (Admin, Organizer, Sub-user)
- JWT session tokens: Short-lived access tokens (5 minutes) with 7-day refresh tokens, rotated on each refresh
- Multi-factor authentication: Available for all accounts
- Session management: You can view and revoke all active sessions from account settings
- Account lockout: Repeated failed login attempts trigger temporary lockout
- Admin impersonation audit: All admin actions on user accounts are logged in a tamper-evident audit trail
Infrastructure Security
- Hosted on enterprise-grade cloud infrastructure with physical security controls
- Network-level firewalls restrict access to databases and internal services
- Intrusion detection systems monitor for anomalous traffic patterns
- Automated vulnerability scanning runs on all dependencies
- Regular encrypted database backups with tested restore procedures
- Audit logging captures all privileged operations with actor, timestamp, and change details
Incident Response
In the event of a security incident or data breach, we follow an established incident response plan:
- Immediate containment and scope assessment
- Notification to affected users within 72 hours when legally required
- Reporting to relevant data protection authorities as mandated by applicable law
- Root cause analysis and remediation
- Post-incident review and security improvements
Vulnerability Disclosure
We welcome reports from the security community. If you discover a potential vulnerability in Samarohh, please:
- Email us at support@samarohh.com with subject Security Disclosure
- Include a description of the vulnerability, steps to reproduce, and potential impact
- Do not publicly disclose the vulnerability before we have had a chance to investigate and release a fix
- Do not access or modify user data beyond what is necessary to demonstrate the vulnerability
We commit to:
- Acknowledge your report within 3 business days
- Investigate all credible reports promptly
- Keep you informed of our progress
- Not pursue legal action against good-faith security researchers
Compliance
- Payment processing via Razorpay is PCI DSS compliant
- Data handling practices align with GDPR principles for EU users
- Data retention and deletion procedures follow applicable Indian data protection regulations
- Periodic third-party security assessments are conducted
Contact
For security concerns or questions about our practices:
Security: support@samarohh.com
Subject: Security Disclosure
Samarohh is a product of Avartana Labs LLP. For enterprise security inquiries, contact us at the email above.