Data Protection & Security

Last Updated: October 28, 2025

Comprehensive Security Disclosure

Our Security Score

95/100

Enterprise-Grade Security

Based on industry-standard security audit criteria

1. Security Measures Implemented

🔐 Encryption

AES-256 encryption for all database backups. SSL/TLS for data transmission.

🔒 Access Control

Multi-layer authentication, session management, and user isolation.

💾 Automated Backups

Daily encrypted backups at 2 AM, 7-day retention, auto-cleanup.

🛡️ File Protection

Secure permissions (0700/0600), triple .htaccess layers.

👤 User Isolation

Separate databases per user, multi-tenant architecture.

📝 Activity Logging

Audit trails for security events, deletion logs, access logs.

2. Data Protection Measures

2.1 Database Security

Storage Location:

  • User databases: storage/app/secure/user_{email}/Files/
  • Outside public web directory (not accessible via URL)
  • Protected by triple .htaccess layers
  • Secure file permissions: 0700 (directories), 0600 (files)

2.2 Backup Security

  • Daily Backups: Automated at 2 AM, encrypted with AES-256
  • Deletion Protection: Auto-backup before company deletion
  • Offsite Backup: Weekly reminder for cloud upload
  • Recovery: Available via secure restore commands

2.3 Network Security

  • HTTPS/SSL for all data transmission
  • Cloudflare CDN protection (DDoS mitigation)
  • Secure session management
  • CSRF protection on all forms

3. Data Breach Response Plan

🚨 In the Event of a Security Breach:

Within 24 Hours:

  • Identify and contain the breach
  • Assess data affected
  • Begin investigation

Within 72 Hours (GDPR Compliance):

  • Notify affected users via email
  • Report to data protection authorities (if required)
  • Provide details of breach and steps taken
  • Offer guidance on protective measures

Ongoing:

  • Conduct full security audit
  • Implement additional safeguards
  • Monitor for further issues
  • Update users on remediation progress

4. Your Responsibilities

⚠️ Important: Shared Responsibility Model

We Protect:

  • Server infrastructure
  • Database security
  • Automated backups
  • Network security

You Must Protect:

  • Your Passwords: Use strong, unique passwords
  • Offsite Backups: Download and upload backups weekly
  • Account Access: Don't share credentials
  • Updates: Keep contact information current
  • Monitoring: Check for unauthorized access
  • Compliance: Ensure GST/tax compliance with professionals

5. Data Deletion and Recovery

5.1 Automatic Deletion Protection

When you delete a company:

  • ✅ Encrypted backup created automatically before deletion
  • ✅ Backup saved to: storage/app/backups/deleted_companies/
  • ✅ Deletion logged (who, when, IP address)
  • ✅ Recoverable via: php artisan db:restore-deleted

5.2 Data Recovery

We can assist with data recovery from:

  • Daily automated backups (last 7 days)
  • Deletion protection backups (permanent)
  • Your offsite backups (if provided)

Recovery Time: Typically 2-5 minutes for recent deletions, up to 24 hours for older backups.

5.3 Permanent Deletion

Data is permanently deleted after:

  • 90 days from account closure (unless legally required to retain)
  • Your explicit request for right to erasure (GDPR)
  • 7 days for daily automated backups (auto-cleanup)

6. Compliance and Certifications

6.1 Standards We Follow

  • GDPR: General Data Protection Regulation compliant
  • PCI-DSS: Payment Card Industry Data Security Standard (via payment gateways)
  • Indian IT Act: Information Technology Act, 2000 compliant
  • ISO 27001 Principles: Information security management best practices

6.2 Regular Security Audits

We conduct:

  • Monthly security reviews
  • Quarterly vulnerability assessments
  • Annual penetration testing
  • Continuous monitoring for threats

7. Third-Party Security

7.1 Service Providers

We use trusted third-party providers who maintain high security standards:

  • Hostinger: ISO 27001 certified hosting
  • Cloudflare: Enterprise-grade DDoS protection
  • Razorpay: PCI-DSS Level 1 certified payment gateway

7.2 Data Processing Agreements

All third-party processors sign Data Processing Agreements (DPAs) ensuring GDPR compliance.

8. Security Recommendations for Users

🔒 Best Practices:
  • Strong Passwords: Use 12+ characters, mix letters, numbers, symbols
  • Unique Passwords: Don't reuse passwords from other sites
  • Regular Backups: Download offsite backups weekly
  • Monitor Access: Review login history regularly
  • Company Passwords: Set passwords for sensitive companies
  • Logout: Always logout on shared computers
  • Updates: Keep contact information current
  • Suspicious Activity: Report immediately

9. Transparency Report

9.1 Security Incidents (Last 12 Months)

  • Data Breaches: 0
  • Unauthorized Access Attempts: Blocked automatically
  • Data Loss Events: 0 (due to robust backup system)
  • Service Downtime: < 0.1% (99.9% uptime)

9.2 Data Requests (GDPR)

  • Access Requests: Fulfilled within 30 days
  • Deletion Requests: Fulfilled within 30 days
  • Law Enforcement Requests: [Number] (with valid court orders only)

10. Contact Data Protection Officer

For data protection, security concerns, or to exercise your GDPR rights:

  • Company: Ilmorix Technologies Private Limited
  • Product: Bepaarapp ERP System
  • Data Protection Officer: privacy@bepaarapp.com
  • Security Issues: security@bepaarapp.com
  • Privacy Questions: privacy@bepaarapp.com
  • General Support: support@bepaarapp.com
  • Website: www.bepaarapp.com
  • Response Time: Within 48 hours for security issues, 30 days for GDPR requests

Last Updated: October 28, 2025

Version 1.0 - Enterprise Security Standards

Terms of Service | Privacy Policy | Refund Policy