Mahakalp

Security Policy

Last updated:

1. Our Commitment to Security

At Mahakalp, security is at the core of everything we do. We understand that you are trusting us with your valuable source code and intellectual property. This document outlines our comprehensive security practices and measures to protect your data.

2. Data Encryption

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using:

  • TLS 1.3 (Transport Layer Security)
  • HTTPS for all web traffic
  • Strong cipher suites with forward secrecy
  • HSTS (HTTP Strict Transport Security) enforcement

Encryption at Rest

Your data is encrypted when stored using:

  • AES-256 encryption for database storage
  • Encrypted file systems for code repositories
  • Separate encryption keys per customer
  • Regular key rotation policies

3. Authentication and Access Control

User Authentication

  • Industry-standard password hashing (bcrypt with salt)
  • Multi-factor authentication (MFA) support
  • OAuth 2.0 integration with GitHub
  • Session management with secure cookies
  • Automatic session timeout after inactivity
  • Account lockout after failed login attempts

Access Controls

  • Role-Based Access Control (RBAC) for team features
  • Principle of least privilege for all systems
  • Row-Level Security (RLS) in database
  • API key rotation and management
  • Granular permissions for repository access

4. Infrastructure Security

Cloud Infrastructure

Our infrastructure is hosted on enterprise-grade cloud platforms:

  • SOC 2 Type II certified providers
  • Geographic redundancy and failover
  • DDoS protection and mitigation
  • Network isolation and segmentation
  • Web Application Firewall (WAF)
  • Intrusion Detection and Prevention Systems (IDS/IPS)

Database Security

  • Automated backups with encryption
  • Point-in-time recovery capability
  • Database access logs and monitoring
  • Query auditing and anomaly detection
  • Isolated database instances per environment

5. Application Security

Secure Development Practices

  • Security-first development lifecycle
  • Code review requirements for all changes
  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability scanning
  • Static Application Security Testing (SAST)
  • Dynamic Application Security Testing (DAST)

Security Controls

  • Input validation and sanitization
  • Protection against OWASP Top 10 vulnerabilities
  • XSS (Cross-Site Scripting) prevention
  • CSRF (Cross-Site Request Forgery) tokens
  • SQL injection prevention through parameterized queries
  • Content Security Policy (CSP) headers
  • Rate limiting and request throttling

6. Code Repository Security

Special measures for protecting your source code:

  • Isolated storage per customer
  • Access only through authenticated APIs
  • No shared access between users or organizations
  • Secure deletion when repositories are removed
  • Audit logs for all code access events
  • Encrypted vector embeddings for semantic search

7. Monitoring and Incident Response

Security Monitoring

  • 24/7 automated security monitoring
  • Real-time alerting for suspicious activity
  • Log aggregation and analysis
  • Anomaly detection using machine learning
  • Regular security audits and assessments

Incident Response

  • Dedicated incident response team
  • Documented incident response procedures
  • Rapid containment and remediation protocols
  • Post-incident analysis and improvement
  • Transparent communication with affected users

8. Compliance and Certifications

We maintain compliance with industry standards and regulations:

  • Information Technology Act, 2000 (India)
  • IT (Reasonable Security Practices) Rules, 2011
  • PCI-DSS compliance for payment processing
  • GDPR readiness for European customers
  • Regular third-party security assessments

9. Employee Security

  • Background checks for all employees
  • Regular security awareness training
  • Signed confidentiality agreements
  • Strict access controls based on job function
  • Immediate access revocation upon termination
  • Security-first culture and practices

10. Third-Party Security

All third-party services we use are carefully vetted:

  • Security assessment of all vendors
  • Data Processing Agreements (DPAs) in place
  • Regular vendor security reviews
  • Compliance verification for critical services
  • Minimal data sharing with third parties

11. Business Continuity

  • Automated daily backups
  • Multi-region data replication
  • Disaster recovery plan with RTO/RPO targets
  • Regular disaster recovery testing
  • 99.9% uptime SLA for paid plans

12. Responsible Disclosure

We welcome security researchers and encourage responsible disclosure of vulnerabilities:

  • Dedicated security contact email
  • Acknowledgment within 24 hours
  • Regular updates during investigation
  • Public acknowledgment for responsible disclosure
  • No legal action against good-faith security research

To report a security vulnerability, please email us at security@mahakalp.dev

13. Security Best Practices for Users

We recommend that users follow these security best practices:

  • Use strong, unique passwords
  • Enable multi-factor authentication
  • Regularly review connected repositories
  • Monitor your account activity
  • Keep your OAuth tokens secure
  • Report suspicious activity immediately
  • Use the latest version of supported browsers

14. Security Updates

We continuously improve our security posture:

  • Regular security patch management
  • Proactive vulnerability assessment
  • Continuous security improvements
  • Annual penetration testing
  • Security policy reviews and updates

This Security Policy will be updated as we implement new security measures. Material changes will be communicated to users via email.

15. Contact Security Team

For security concerns, questions, or to report vulnerabilities:

  • Email: security@mahakalp.dev
  • Response time: Within 24 hours for security issues
  • Escalation available for critical vulnerabilities