Security at BizlumoAI

Infrastructure

We host on Amazon Web Services in the Mumbai region (ap-south-1). No customer data leaves Indian jurisdiction.

Specifically:

• Application servers: ECS Fargate with auto-scaling
• Database: RDS MySQL with encrypted storage and Multi-AZ standby
• File storage: S3 buckets with bucket-level encryption (SSE-KMS) and versioning enabled
• CDN: CloudFront for static assets (your data doesn't go through CDN — only marketing pages, JS bundles, etc.)
• DNS: Route 53 with DNSSEC enabled

Encryption

In transit

All connections to BizlumoAI use TLS 1.3 (TLS 1.2 minimum, with modern cipher suites only). HTTP requests are redirected to HTTPS. HSTS is enabled with a 1-year max-age. Our certificates are issued by Amazon Certificate Manager and rotated automatically.

At rest

Database encrypted with AES-256 using AWS KMS-managed keys. S3 buckets use SSE-KMS encryption. Backups are encrypted before being written to backup storage.

Application-level encryption

Sensitive fields (Aadhaar last-4, PAN, bank account number) are additionally encrypted at the application layer using a separate key, so even a database breach wouldn't expose them in plaintext.

Access control

Customer side

• Strong password requirements (min 12 chars, must include letters + numbers)
• Bcrypt password hashing (cost factor 12)
• Session tokens are JWT with 24-hour expiry, stored as HTTPOnly+Secure+SameSite=Strict cookies
• Granular role-based access control — HR sees payroll, department heads see only their team, finance gets reports without people-data

Internal access

• BizlumoAI employees access infrastructure via SSH with hardware security keys (YubiKeys)
• No shared accounts. No password-based SSH.
• Customer data access is logged. Engineers can only view a customer's data with explicit support ticket reference.
• "Log in as customer" impersonation feature (currently being built) will require customer's explicit consent and create audit log entry visible to customer

Face data — how it works

We never store raw face images on our servers. Here's the flow:

1. Employee stands in front of the kiosk tablet
2. Camera captures face image (stays on device)
3. On-device ML model converts image to a 128-dimension numerical embedding (a face "fingerprint")
4. Only the embedding is transmitted to our servers (over TLS 1.3)
5. Original image is discarded immediately
6. Embedding is stored with AES-256 encryption

The embedding is a one-way hash. There's no mathematical way to reverse it back into a face image. If our database were ever compromised, attackers would have a list of meaningless 128-number vectors — they couldn't reconstruct your employees' faces.

Liveness detection runs at recognition time to prevent photo/video spoofing — you can't fool the kiosk by holding up a phone screen with someone's photo.

Payments

All payments are processed through Razorpay, which is PCI-DSS Level 1 certified. We never see your card data — Razorpay handles tokenisation and we only receive a payment status callback.

We store the Razorpay subscription ID and the last 4 digits of your card (for display purposes only). No CVV, no full card number, no expiry date.

Monitoring & alerting

• Application errors: Sentry alerts to engineering on-call within 60 seconds
• Infrastructure metrics: CloudWatch with PagerDuty escalation
• Database query anomalies: alert on unusual access patterns (e.g. sudden export of large data volumes)
• Failed login attempts: alert after 5 failures from same IP in 10 minutes; auto-block after 20 in an hour
• Audit logs of admin actions (60-day retention on Enterprise plan)

Backups & disaster recovery

• Database: automated daily encrypted backups, 30-day retention
• Point-in-time recovery: any state in the last 7 days can be restored
• S3 buckets: versioning enabled with 90-day retention of overwritten/deleted objects
• Cross-AZ failover: database hot standby in second availability zone
• Disaster recovery target: RPO 24 hours, RTO 4 hours
• Quarterly restore-from-backup drills to verify recovery procedures

Incident response

If a security incident occurs that affects customer data, we will:

1. Investigate and contain within 24 hours
2. Notify affected customers within 72 hours via email (per DPDP Act 2023 requirements)
3. File required notifications with the Data Protection Board of India
4. Publish a public post-mortem within 30 days, including timeline, root cause, and corrective actions

Subscribe to security notifications by emailing security-list@bizlumoai.com with subject "subscribe". You'll get notified of any security advisory we publish (we hope this list stays empty).

Compliance & certifications

• Digital Personal Data Protection Act 2023 (India): compliant. Data Protection Officer designated. Data localised in India.
• Information Technology Act 2000 (India): compliant with reasonable security practices under Section 43A.
• GST: GSTIN [REPLACE: GSTIN]. All invoices issued per GST regulations (HSN 998314).

We're a young company. We don't have certifications that take 18+ months to achieve. We do have the underlying controls in place; certifications will follow as we scale.

Responsible disclosure

Found a security vulnerability? Report it to security@bizlumoai.com. We commit to:

• Acknowledging your report within 48 hours
• Triaging within 5 business days
• Patching critical issues within 7 days
• Crediting you publicly (if you wish) once the fix is deployed

We don't have a bug bounty program yet, but we offer monetary rewards for valid critical/high severity findings on a case-by-case basis (typical range ₹10,000–₹1,00,000 depending on severity and report quality).

Out of scope

• Marketing site (this site) — only the application matters
• Theoretical issues without practical exploit
• Issues requiring physical access to victim's device
• Social engineering of BizlumoAI employees
• DoS/DDoS — please don't

Need a copy of this page as a PDF for vendor security review? Email security@bizlumoai.com — we'll send a signed PDF version with our security questionnaire.