Connexolve BGV ← Back to site
Effective May 2026

Security overview

This document is in draft. The version published here is a working draft. The legally binding version is finalised in your service agreement — please reach out to directors@connexolve.in for the executed copy.

How we protect your data

Connexolve BGV handles personally identifiable data — PAN, Aadhaar, bank details, court records, and Aadhaar photographs. We take this seriously. This page describes the measures currently in place and the certifications we are working towards.

In transit

  • All connections use TLS 1.3 with strong cipher suites (Mozilla "modern" profile)
  • HSTS enabled with 2-year max-age and includeSubDomains
  • Certificate auto-renewing via Let's Encrypt (no expiry gaps)
  • Government API calls (UIDAI, NSDL, GSTN, eCourts) use HTTPS only

At rest

  • Customer passwords stored with bcrypt (cost factor 12)
  • Database access restricted to localhost — not exposed to the public internet
  • Application secrets (API keys, payment credentials) stored outside the web root in a 600-mode file readable only by the PHP process
  • Aadhaar photographs and address proof PDFs stored on disk with restricted permissions; not accessible via direct URL

Infrastructure

  • Hosting in Mumbai, India — data does not leave the country during normal operations
  • Hardened Ubuntu 24.04 LTS, weekly security updates auto-applied
  • UFW firewall blocking all inbound traffic except SSH (key-only), HTTP, and HTTPS
  • SSH on a non-standard port with fail2ban blocking brute-force attempts
  • Daily database backups with 14-day retention

Access control

  • Sessions invalidated on logout and after 24 hours of inactivity
  • Password reset links expire in 30 minutes
  • Identity verification (PAN/GSTIN) mandatory before any verification can be run
  • OTPs required for email and WhatsApp at signup

Compliance

  • Digital Personal Data Protection Act 2023 — we follow the consent, purpose limitation, and data minimisation principles described in our privacy policy.
  • IT Act 2000 & Rules 2011 — we follow "reasonable security practices" for the sensitive personal data we handle.
  • ISO 27001 certification — in progress. We aim to achieve certified status before the end of 2026.
  • SOC 2 Type II — on the roadmap for 2027.

Vulnerability reporting

If you believe you have found a security vulnerability in Connexolve BGV, please email directors@connexolve.in with the subject line "Security report". We will acknowledge receipt within one business day and aim to resolve confirmed issues within 30 days. We commit to:

  • Not pursuing legal action against good-faith security researchers
  • Crediting reporters on a Hall of Fame page (with permission) once we have one

What we are still working on

In the spirit of honesty rather than marketing, the following are on our roadmap but not yet in place:

  • Offsite backups — backups are currently local only. Offsite replication to a separate region is planned.
  • Web Application Firewall (Cloudflare) — planned for deployment.
  • Two-factor authentication for customer accounts — planned for Q3 2026.
  • SOC 2 Type II audit — planned for 2027.

Contact

For security questions, vulnerability reports, or compliance documentation:
directors@connexolve.in