Legal — Security
Security.
We treat security as a precondition, not a feature. Below is what we do today.
Authentication
- Passwords hashed with scrypt — we never see plaintext.
- HttpOnly, Secure, SameSite=lax session cookies signed with HMAC-SHA256.
- Sessions expire after 30 days of inactivity.
- Brute-force protection on login (rate limited).
Transport
- TLS 1.2+ enforced on every endpoint via Traefik.
- HSTS preload-eligible.
- Strict CSP on admin and customer dashboards.
Data
- Postgres on encrypted volumes, daily off-host backups, monthly restore drills.
- No card data on our servers — payments delegated entirely to Razorpay.
- Audit log of admin actions on customer accounts, retained 12 months.
Reporting issues
Found a vulnerability? Please email security@sepnexus.com. We'll acknowledge within 24 hours.
Last updated: 2026-05-10.