Security Policy.
Your clients trust you with their financial data. You trust us to keep it safe. This page explains exactly what we do to honour that trust.
Where your data lives
All PractEase customer data is stored on AWS Mumbai (ap-south-1). Your data never leaves Indian servers. We do not replicate or back up data to any non-Indian region for any reason. Our database infrastructure is provided by Supabase, running on AWS.
Encryption
In transit: All connections to PractEase use TLS 1.3 (or TLS 1.2 minimum, never below). Plain HTTP traffic is automatically redirected to HTTPS.
At rest: Data is encrypted on disk using AES-256 at the AWS infrastructure layer. This applies to the active database, automated backups and the underlying storage volumes. Passwords are never stored in plain text — we use Supabase Auth, which hashes passwords with bcrypt.
Tenant data isolation
PractEase enforces row-level security at the database layer. Every row in every table is tagged with an organisation ID, and every database query is automatically filtered by the JWT-claimed organisation ID of the requesting user. This means no user from one firm can ever read or modify another firm’s data — even in the unlikely event of an application-layer bug.
Compliance
Our underlying infrastructure (Supabase + AWS) is SOC 2 Type 2 certified. Daily automated backups are taken with point-in-time recovery available for the last 7 days, so we can recover your data to any second within that window if needed.
Authentication & access
All accounts use email plus password authentication, with optional Google OAuth (sign in with your Google Workspace credentials). Sessions expire after 4 hours by default; you can opt to extend to 30 days on trusted devices.
We follow the principle of least privilege internally. Engineering staff access to production data is restricted to break-glass scenarios only, and every such access is logged.
Payments
All payment processing is handled by Razorpay, India’s leading payment gateway and a PCI-DSS Level 1 certified processor. No card or bank details ever touch PractEase servers. We only store the customer’s subscription status returned by Razorpay.
Vulnerability disclosure
If you’ve discovered a security issue, please email support@practease.app with “Security disclosure” in the subject. Please include:
- A description of the issue and its potential impact
- Steps to reproduce
- Your name and (optional) preferred contact for credit
We commit to: acknowledging within 24 hours, providing an initial assessment within 3 working days, and resolving verified critical issues within 7 days. We will not pursue legal action against good-faith researchers who follow responsible disclosure.
Operational security
All code changes go through code review before reaching production. Production deployments are immutable and rolled forward (we never edit production directly). Audit logs cover authentication events, data access and administrative actions.
Your responsibilities
Security is a shared responsibility. Please use a strong, unique password for your PractEase account; enable Google OAuth where possible; never share login credentials between team members (each user should have their own seat); and report any suspicious account activity to us immediately.
Contact
For any security-related question: support@practease.app