Skip to main content

Security

Your security is our top priority. We protect your data with enterprise-grade measures at every layer.

HIPAA CompliantAES-256 EncryptionTLS 1.3SOC 2
Security Features

Enterprise-Grade Security

Built with industry best practices and modern security standards

Password Protection

  • bcrypt hashing with 12 rounds
  • Password complexity requirements
  • Minimum 8 characters
  • Never stored in plain text

Secure Sessions

  • HTTP-only cookies
  • Secure flag in production
  • SameSite protection
  • 30-day auto-expiration
  • Remote logout capability

Token Management

  • One-time use tokens
  • Short expiration (5–60 mins)
  • Cryptographically secure generation
  • Automatic cleanup
  • Magic links (15 min expiry)

Data Protection

  • Encrypted database connections
  • Secure file storage (MinIO)
  • Payment data via Razorpay
  • Regular backups
  • AES-256 encryption at rest

Activity Monitoring

  • Comprehensive audit logs
  • IP address tracking
  • Device identification
  • Login history
  • Admin action tracking

Access Control

  • Role-based permissions
  • Hierarchical admin roles
  • Plan-based feature access
  • Dynamic access lists
  • Granular permissions
Best Practices

How We Maintain a Secure Environment

Regular Security Audits

We perform regular security audits and code reviews to identify and fix potential vulnerabilities.

Dependency Updates

We keep all dependencies up to date with the latest security patches and updates.

HTTPS Everywhere

All connections are encrypted using TLS 1.3. We enforce HTTPS in all production environments.

CSRF Protection

Cross-Site Request Forgery protection is implemented for all state-changing operations.

Rate Limiting

Login attempts and API calls are rate-limited to prevent brute force attacks and abuse.

Input Validation

All user inputs are validated and sanitized to prevent injection attacks and XSS vulnerabilities.

OAuth Security

Secure Third-Party Authentication

Account Linking Protection

When linking OAuth accounts (Google, GitHub, Microsoft) with email accounts, we verify email ownership to prevent account hijacking. OAuth tokens are encrypted and stored securely.

State Parameter Verification

We use state parameters in OAuth flows to prevent CSRF attacks during the authentication process. All OAuth callbacks are validated before processing.

Secure Token Storage

OAuth access and refresh tokens are encrypted and stored securely in the database. Tokens are never exposed to the frontend or logs.

Found a Security Issue?

We take security seriously. If you discover a vulnerability, please report it immediately — we'll respond within 24 hours.

Security Contact

security@carebow.in

Or use our contact form