← Back to homeरफ़्तार

Security

How we keep your account, your money, and your leads' data safe.

Last updated: 11 July 2026

1. Our approach

Security at Raftaar is defence-in-depth and continuously improving. We hold your account, your money and your leads' personal data, so we design each layer — authentication, access control, tenant isolation, encryption, and third-party integration — to fail safe. This page describes the controls in place today; it is an honest snapshot, not a claim of perfection, and we welcome reports of anything we can do better (§10).

2. Passwords & authentication

Password storage

Passwords are never stored as text. They are protected with a one-way scrypt hash and a per-user salt, so even we cannot read them. Internal team logins use the same scheme, with email-OTP verification at setup.

Account protection

Repeated failed logins trigger a lockout to slow brute-force attempts. Sessions can be revoked (a "log out everywhere" epoch), so a password reset invalidates previously-issued sessions.

3. Sessions & transport

Sign-in uses signed, HTTP-only session cookies served over HTTPS, so they cannot be read or tampered with by page scripts, and SameSite protection plus an origin check on state-changing requests guard against cross-site request forgery. All data is transmitted over encrypted TLS connections.

4. Secrets & API keys

All third-party keys (payments, WhatsApp, AI, ad and telephony platforms) live only in server-side environment variables — never in the browser, never in the database, and never committed to our code repository. Our server-only modules are guarded so they cannot be bundled into client code.

5. Access control & least privilege

Tenant isolation

Every subscriber's data is scoped to their own account. Buyer data and business records are restricted to the subscriber who owns them; one subscriber cannot see another's leads, deals or money.

Capability-gated internal access

Internal HQ access is capability-based: each team role sees only what it needs. Interns and partners are deliberately kept off buyer PII and money internals. Views that expose buyer personal data require the buyer-data capability, not merely an admin login.

6. Data handling & minimisation

PII in logs

Operational logs mask phone numbers and email addresses and redact message content, so day-to-day debugging never exposes a buyer's or broker's raw personal data.

AI processing

Message content is sent to our AI providers only to generate a reply, and is not used by us to train third-party models. Actions that spend money or send irreversible outbound communications are gated for human approval or bounded by hard, code-enforced limits.

7. Payments

Card and subscription payments are handled entirely by Razorpay (PCI-DSS compliant). Raftaar never sees or stores card numbers. Payment webhooks are cryptographically signature-verified before we trust them, and auto-debit runs on an authorised e-mandate you can cancel anytime.

8. Integrations & webhooks

Inbound webhooks — WhatsApp/Meta, Razorpay, Cal.com and telephony — are verified with HMAC signatures using each provider's secret, and reject unsigned or mismatched requests in production (fail-closed). We act on a subscriber's connected accounts only with the specific, revocable authorisation they grant.

9. Reliability & incident handling

The platform runs on managed, secured cloud infrastructure (no self-hosting). We apply rate limiting to sensitive endpoints (login, OTP, chat, payments), degrade gracefully when a third party is unavailable (a buyer always gets a reply, never silence), and surface operational failures to our team so issues are caught rather than lost. Security and reliability are ongoing work, and we harden the platform as we grow.

10. Compliance

We are built around India's DPDP Act, 2023: consent at sign-up, buyer opt-in over WhatsApp, an affirmative-consent gate before any automated voice call, absolute honouring of STOP/opt-out, and prompt handling of access/correction/deletion requests. Real-estate advertising is RERA-gated. See our Privacy Policy for the full data-rights detail.

11. Shared responsibility

Security is a partnership. Please use a strong, unique password, keep your login and connected-account access confidential, manage your team's access carefully, and ensure you have a lawful basis and consent for the leads you bring into the platform.

12. Reporting a vulnerability

Found a security issue? Please email raftaar.saas@gmail.com with the details and steps to reproduce. We take reports seriously, will acknowledge quickly, and ask that you give us a reasonable chance to fix an issue before disclosing it publicly. We will not pursue good-faith researchers who follow responsible disclosure.

Security is ongoing. This summary reflects our current practices and improves as we grow.

Privacy Policy · Terms of Service