Security

TLS 1.2+ in transit. AES-256 at rest. PII vault stores SHA-256 hashes only, never raw Aadhaar / PAN.

Indian-region storage and compute. Backups encrypted, India-only.

Forensic-ledger HMAC keys held in a managed HSM (target: an FIPS 140-2 Level 3 service from a Cert-In empaneled auditor's recommended partner); rotation every 90 days with overlapping verification windows.

Every change to cases, claim_lines, fraud_signals, disciplinary_actions, bpa_holds and empanelment lifecycle tables is captured by a database trigger and chained: row_hash = SHA-256(prev_hash || canonical_payload).

Forensic bundles are HMAC-SHA256 signed over the Merkle root of the included events. Verification recipe is shipped in the export response.

Material breaches are reported to Cert-In within 6 hours per CERT-In Directive 20(3)/2022. Affected Data Fiduciaries are notified per DPDP Sec. 8(6).

Containment runbooks: revoke service-role keys, rotate forensic signing key with overlap, isolate Supabase project, freeze cron jobs.

Vulnerability disclosure: security@pratyaksh.gov.in · 90-day coordinated disclosure window.

VAPT by a Cert-In empaneled auditor — quarterly cadence; engagement scoped against the published empanel list. Reports available to authorised reviewers under NDA.

Cert-In Directive 70(3)/2022 compliance — 180-day log retention, NIC NTP clock sync, 6-hour material-breach reporting to cert-in.org.in, named point of contact on file.

ISO/IEC 27001:2022 — ISMS rolled out; certification audit by NABCB-accredited body after three months of operational evidence.

DPIIT Recognised Startup — operating entity Cognoshift Pvt Ltd holds the recognition, unlocking GFR Rule 173(i) procurement waivers and the GeM Startup Runway pathway.