1. Infrastructure Security
- Hosting: Supabase (PostgreSQL with Row Level Security) on enterprise-grade cloud infrastructure
- Encryption at rest: Industry standard encryption for all stored data
- Encryption in transit: TLS 1.2+ enforced for all connections — no unencrypted data transfer
- Authentication: JWT-based sessions via Supabase Auth with secure cookie handling
- Multi-tenant isolation: Row Level Security (RLS) on all data tables — one organization cannot access another's data
2. Access Control
- Role-based access: Owner and Member roles per organization workspace
- Platform Admin role for WebOrigin operations — completely separate from client access
- Critical admin actions are logged for security auditing
- Session expiry with secure cookie handling and automatic logout
- Password reset via verified email flow only — no SMS OTP fallback
- API keys and service credentials stored server-side only — never in frontend bundles
3. Data Isolation
Each organization's data is completely isolated:
- Separate RLS policies per tenant on all database tables
- No cross-tenant data queries possible at the application level
- Knowledge Base content cannot be accessed by other institutes' AI
- WhatsApp credentials are stored per-workspace and never shared across accounts
- Each workspace has its own scoped data context — no shared pools
4. Security Practices
- Regular dependency updates and security patching
- Environment variable management — no secrets committed to source code
- Webhook signature verification for WhatsApp (HMAC-SHA256) on all incoming webhooks
- Input validation and sanitisation on all API endpoints
- Rate limiting implemented on critical public-facing APIs
- Debug routes and development tools disabled in production environments
- Zero-trust architecture mindset — all requests validated server-side
5. Incident Response
In the event of a security incident:
- Notification: We will notify affected users within 72 hours of becoming aware of an incident (per DPDP Act requirements)
- Transparency: We will describe the nature of the incident, data affected, and actions taken
- Guidance: We will provide guidance on protective steps for affected users
- Remediation: We will immediately patch the vulnerability and implement additional controls
Security Contact: contact.weborigin@gmail.com — Use subject line "Security Report" for security-related communications.
6. Your Security Responsibilities
As a WebOrigin customer, you are responsible for:
- Keeping your login credentials secure and confidential
- Not sharing your dashboard access with unauthorized personnel
- Keeping your Meta access token secure and rotating it if compromised
- Reporting suspected security incidents immediately to WebOrigin
- Removing access for former team members promptly
Security Contact: contact.weborigin@gmail.com · WebOrigin · MSME: UDYAM-DL-02-0118375
Security incidents are responded to within 72 hours.