Security & privacy

We build a privacy-auditing product, so our own posture has to hold up. Here’s how we protect your account and your results.

Private by default

Every audit report is private to your account. Nothing you run is shown publicly. A report becomes viewable without login only when you generate an explicit, revocable share link.

Encryption in transit & at rest

All traffic is served over HTTPS with HSTS. Sessions are HttpOnly + Secure cookies; MFA secrets and sensitive tokens are encrypted at rest.

Strong authentication

Argon2id password hashing, email verification, optional TOTP multi-factor authentication, and single-use recovery codes.

Regional data handling

Infrastructure runs in AWS (Mumbai / ap-south-1). We disclose hosting and cross-border processing in our privacy policy.

PDPL & DPDP aligned

As a UAE/India product, we hold ourselves to the same UAE PDPL and India DPDP standards Optix audits for — data-subject rights, retention, and consent.

Security questions, a vulnerability report, or an Enterprise/DPA request? Email security@optifi360.org.