Security

Security at QuickAuth

Effective Date: May 28, 2026Audit Cycle: Annual SOC 2 Type IIHosting: AWS Mumbai (ap-south-1)
We treat the security of your customers' phone numbers, OTPs, and authentication state as a first-order constraint. This page summarises our security posture. Detailed control evidence — SOC 2 reports, penetration-test summaries, sub-processor lists — is available under NDA on request to contact@quickauth.in.
Section 01

Standards & Certifications

  • SOC 2 Type II — annual audit covering security, availability, and confidentiality. Report available under NDA.
  • DPDP Act 2023 (India) — compliant data handling and rights workflows; see our Privacy Policy.
  • ISO 27001 alignment for information-security controls.
  • India-resident infrastructure on AWS Mumbai (ap-south-1) — no cross-border data transfer by default.

Section 02

Data Protection

At rest
  • Phone numbers are hashed at rest with a per-tenant salt.
  • OTPs are wiped from storage 5 minutes after verification.
  • Database backups are encrypted with AWS KMS; access requires hardware MFA.
In transit
  • All traffic uses TLS 1.2+ with HSTS preload enabled on customer-facing endpoints.
  • Internal service-to-service traffic stays within the VPC and is mutually authenticated.
We do not retain message content beyond what's required for delivery acknowledgement. OTP values themselves are never persisted in plaintext.

Section 03

Infrastructure Hardening

  • Production VPCs are isolated from corporate networks; engineer access requires SSO + Tailscale.
  • All deploys are versioned and audit-logged; rollback is one command.
  • Secrets are stored in AWS Secrets Manager — no plaintext credentials in code or env files.
  • Continuous dependency scanning via Dependabot + weekly SCA review.
  • WAF + rate limiting on every public endpoint; per-IP and per-merchant quotas.

Section 04

Reporting a Vulnerability

If you've found a vulnerability, please email contact@quickauth.in with reproduction steps. We acknowledge reports within 24 hours and aim to remediate critical issues within 7 days.

We do not currently run a paid bug-bounty program but we publish acknowledgements with researcher consent. Please don't publicly disclose issues until we've confirmed remediation.


Section 05

Compliance Documents


Section 06

Contact

Security Team

Vulnerability reports: contact@quickauth.in
Trust & compliance: contact@quickauth.in
Privacy & data requests: contact@quickauth.in