Security

How We Protect Your Data

The technical safeguards. The certifications we have. The ones we don’t — yet. Honest, specific, and verifiable.

LAST UPDATED · 21 APRIL 2026

The one-minute summary

What’s true today — in plain language.

  • Every page on this site uses HTTPS with TLS 1.2+ — same level as Indian banks.
  • Your password is hashed with bcrypt. Even we cannot read it.
  • Payments are processed 100 % by Razorpay (PCI-DSS Level 1) — card numbers never touch our servers.
  • Database (Strapi Cloud on AWS) uses encryption at rest.
  • We are not yet SOC 2 / ISO 27001 certified — we’re 500+ students young; formal audits come at scale.
Layer 01

Encryption in transit

Every byte between your browser and our servers
  • TLS 1.2 minimum · TLS 1.3 preferred (industry-standard, same as banks)
  • SSL certificate from Let’s Encrypt, auto-renewed every 90 days by Vercel
  • HTTP Strict Transport Security (HSTS) — browsers refuse to connect unencrypted
  • No “mixed content” — every image, script, font served over HTTPS
Test our TLS score yourself: Run SSL Labs test →
Layer 02

Password security

How we store what you choose
  • Hashed with bcrypt (cost factor 10) — industry-standard one-way hash
  • Plaintext password never stored, never logged, never transmitted after initial POST
  • Minimum 8 characters enforced at sign-up
  • Sessions managed via JWT with 30-day expiry; logout invalidates tokens
  • 2-factor authentication — on our roadmap for Q3 2026
Layer 03

Payment security

The one place a real breach hurts
  • 100 % of card / UPI / netbanking data is handled by Razorpay. Razorpay is PCI-DSS Level 1 certified — the highest tier (same as Visa / Mastercard themselves).
  • We never see your card number, CVV, or OTP. Our servers receive only the transaction ID after successful payment.
  • Razorpay is RBI-regulated and audited quarterly.
  • Transaction signature verified server-side using HMAC-SHA256 — prevents tampering.
  • Refunds issued via Razorpay within 5–7 business days, end-to-end encrypted.
Razorpay’s own security posture: razorpay.com/security →
Layer 04

Data at rest

How your profile lives in the database
  • Database hosted on Strapi Cloud (AWS-backed), encryption at rest (AES-256)
  • Database access restricted to application servers via private VPC — not exposed to the public internet
  • Daily automated backups, 30-day retention
  • Admin panel access requires two-factor auth for all admins
  • All admin actions logged (who accessed what, when)
  • Strapi Cloud infrastructure is operated by a SOC 2 Type II certified provider
Layer 05

Access control & secrets management

Who can see what
  • Admin access to student data limited to 2 named team members
  • Role-based access: Finance can see payments but not class recordings; Trainers can see batches but not other admins’ notes
  • API tokens stored as Vercel environment variables, never committed to source code
  • Tokens rotatable at any time; old tokens revoked immediately upon suspicion
  • GitHub repo access restricted to founder + development partner
  • No shared credentials. No “admin / admin123” anywhere in our stack.
Layer 06

Secure development practices

The code layer
  • OWASP Top-10 hardening: parameterised queries, strict CORS, CSRF tokens, input validation via Zod schemas
  • No secrets in code — environment variables only
  • Dependency vulnerabilities monitored via GitHub Dependabot; critical patches applied within 48 hours
  • Next.js framework kept within 2 patch versions of latest (currently 14.2.35 — Dec 2025 security patches applied)
  • Code reviewed before merging to main; no unreviewed deploys to production
  • No third-party scripts on payment or registration pages (except Razorpay itself)
Layer 07

Infrastructure partners

Who else holds our edges
  • Vercel (website hosting + CDN) — SOC 2 Type II, ISO 27001, GDPR-ready. DDoS mitigation at edge.
  • Strapi Cloud (database) — SOC 2 certified infrastructure partner, EU region
  • Razorpay (payments) — PCI-DSS Level 1, RBI-regulated
  • GoDaddy / GoDaddy DNS (domain) — DNSSEC-capable
  • No self-hosted databases or servers. No raspberry-pi in someone’s basement.
Honest Assessment

What we DON’T have yet

We believe in honest marketing — especially on security. Here’s what a larger organisation would have that we don’t:

  • SOC 2 Type II certification
    A formal 6–12 month audit by a third-party CPA firm. Costs ~₹25L+ per year. We plan to pursue this when we cross 5,000 active students.
  • ISO 27001 certification
    International information-security standard. Similar cost, similar timeline. On our roadmap for FY 2027.
  • Formal penetration test
    An outside firm trying to break in. We intend to commission one before our 1,000th student enrolment.
  • Public bug bounty programme
    Not yet. For now, responsible disclosure reports go to security@healersmeet.com and we respond within 48 hours.
  • 24/7 security operations centre
    Overkill at our scale. Our alerting covers the vectors that matter (auth failures, unusual admin access, infrastructure incidents).

Bottom line: we’re beyond “weekend workshop with a Gmail form” and not yet at “enterprise SaaS with ₹5 crore compliance budget.” We’re in the careful middle — using regulated, certified partners for the hard parts (payments, hosting, auth) and being transparent about the rest.

Layer 08

Found a security issue?

Responsible disclosure
  • Email security@healersmeet.com with details — we respond within 48 hours.
  • Include: affected URL, reproduction steps, expected vs. actual behaviour, your contact info.
  • We will NOT pursue legal action against researchers acting in good faith under responsible-disclosure norms.
  • Critical issues: we’ll acknowledge within 24 hours and keep you updated through resolution.
  • Hall of fame: researchers who help us are publicly acknowledged (with permission) on this page.

Questions we haven’t answered?

Security is a conversation, not a certificate. If you have a specific question — technical, procedural, or philosophical — write to support@healersmeet.com with “Security” in the subject line and we’ll get back to you in detail.

For privacy questions (what we collect, how we share it, your rights), see our Privacy Policy.

Last updated 21 April 2026 · Decode Life Transformation