Infrastructure
We host on Amazon Web Services in the Mumbai region (ap-south-1).
No customer data leaves Indian jurisdiction.
Specifically:
- Application servers: ECS Fargate with auto-scaling
- Database: RDS MySQL with encrypted storage and Multi-AZ standby
- File storage: S3 buckets with bucket-level encryption (SSE-KMS) and versioning enabled
- CDN: CloudFront for static assets (your data doesn't go through CDN — only marketing pages, JS bundles, etc.)
- DNS: Route 53 with DNSSEC enabled
Encryption
In transit
All connections to BizlumoAI use TLS 1.3 (TLS 1.2 minimum, with modern cipher suites only). HTTP requests are redirected to HTTPS. HSTS is enabled with a 1-year max-age. Our certificates are issued by Amazon Certificate Manager and rotated automatically.
At rest
Database encrypted with AES-256 using AWS KMS-managed keys. S3 buckets use SSE-KMS encryption. Backups are encrypted before being written to backup storage.
Application-level encryption
Sensitive fields (Aadhaar last-4, PAN, bank account number) are additionally encrypted at the application layer using a separate key, so even a database breach wouldn't expose them in plaintext.
Access control
Customer side
- Strong password requirements (min 12 chars, must include letters + numbers)
- Bcrypt password hashing (cost factor 12)
- Session tokens are JWT with 24-hour expiry, stored as HTTPOnly+Secure+SameSite=Strict cookies
- Granular role-based access control — HR sees payroll, department heads see only their team, finance gets reports without people-data
Internal access
- BizlumoAI employees access infrastructure via SSH with hardware security keys (YubiKeys)
- No shared accounts. No password-based SSH.
- Customer data access is logged. Engineers can only view a customer's data with explicit support ticket reference.
Face data — how it works
We never store raw face images on our servers. Here's the flow:
- Employee stands in front of the kiosk tablet
- Camera captures face image (stays on device)
- On-device ML model converts image to a 128-dimension numerical embedding (a face "fingerprint")
- Only the embedding is transmitted to our servers (over TLS 1.3)
- Original image is discarded immediately
- Embedding is stored with AES-256 encryption
The embedding is a one-way hash. There's no mathematical way to reverse it back into a face image. If our database were ever compromised, attackers would have a list of meaningless 128-number vectors — they couldn't reconstruct your employees' faces.
Liveness detection runs at recognition time to prevent photo/video spoofing — you can't fool the kiosk by holding up a phone screen with someone's photo.
Payments
All payments are processed through Razorpay, which is PCI-DSS Level 1 certified. We never see your card data — Razorpay handles tokenisation and we only receive a payment status callback.
We store the Razorpay subscription ID and the last 4 digits of your card (for display purposes only). No CVV, no full card number, no expiry date.
Monitoring & alerting
- Application errors: Sentry alerts to engineering on-call within 60 seconds
- Infrastructure metrics: CloudWatch with PagerDuty escalation
- Database query anomalies: alert on unusual access patterns (e.g. sudden export of large data volumes)
- Failed login attempts: alert after 5 failures from same IP in 10 minutes; auto-block after 20 in an hour
- Audit logs of admin actions (60-day retention on Enterprise plan)
Backups & disaster recovery
- Database: automated daily encrypted backups, 30-day retention
- Point-in-time recovery: any state in the last 7 days can be restored
- S3 buckets: versioning enabled with 90-day retention of overwritten/deleted objects
- Cross-AZ failover: database hot standby in second availability zone
- Disaster recovery target: RPO 24 hours, RTO 4 hours
- Quarterly restore-from-backup drills to verify recovery procedures
Incident response
If a security incident occurs that affects customer data, our incident response process is to:
- Begin investigation immediately upon detection and work to contain the incident as quickly as practicable
- Notify affected customers via email within the timelines required by applicable law (within 72 hours of becoming aware of a personal data breach, per DPDP Act 2023)
- File required notifications with the Data Protection Board of India and other applicable authorities
- For significant incidents, share a post-incident summary with affected customers covering timeline, root cause, and corrective actions taken
Subscribe to security notifications by emailing security-list@bizlumoai.com with subject "subscribe". You'll get notified of any security advisory we publish (we hope this list stays empty).
Compliance & certifications
- Digital Personal Data Protection Act 2023 (India): compliant. Grievance Officer designated. Data localised in India.
- Information Technology Act 2000 (India): compliant with reasonable security practices under Section 43A.
- GST: Registered. GSTIN 09AARCM4870C1Z5. All invoices issued per GST regulations under HSN 998314.
We're a young company. We don't have certifications that take 18+ months to achieve. We do have the underlying controls in place; certifications will follow as we scale.
Responsible disclosure
Found a security vulnerability? Report it to security@bizlumoai.com. We aim to:
- Acknowledge your report within 48 hours
- Triage within 5 business days
- Patch critical issues as quickly as practicable — typically within 7 days for high-severity, exploitable findings
- Credit you publicly (if you wish) once the fix is deployed
We don't run a formal bug bounty program, but we do reward valid critical and high-severity findings at our discretion — typically with BizlumoAI account credits, swag, or cash for high-impact reports. Rewards depend on severity, exploit quality, and report clarity. Tell us about your finding first; we'll discuss recognition after triage.
Out of scope
- Marketing site (this site) — only the application matters
- Theoretical issues without practical exploit
- Issues requiring physical access to victim's device
- Social engineering of BizlumoAI employees
- DoS/DDoS — please don't
Need a copy of this page as a PDF for vendor security review? Email security@bizlumoai.com — we'll send a signed PDF version with our security questionnaire.