Security Practices

1. Introduction & Security Commitment

Essa Technologies Pvt Ltd is committed to protecting the confidentiality, integrity, and availability of all data entrusted to us by our customers, partners, and users. Security is not an afterthought—it's embedded in every layer of our development process, infrastructure design, and operational practices.

This document provides detailed information about our security measures for all Essa Technologies products and services, with particular focus on the gImmerse platform—our connected fitness operating system serving gyms, fitness centers, and their members across India.

2. Data Encryption & Protection

2.1 Data in Transit

All data transmitted between our services and end users is encrypted using industry-standard protocols:

• TLS 1.2 / 1.3: All API communications, web applications, and mobile apps use Transport Layer Security (TLS) with strong cipher suites
• HTTPS Everywhere: All web interfaces enforce HTTPS connections; HTTP requests are automatically redirected to HTTPS
• WebSocket Security: Real-time communications via Phoenix Channels use secure WebSocket connections (WSS) with TLS encryption
• Certificate Management: We use industry-standard SSL/TLS certificates from trusted Certificate Authorities, with automated renewal processes

2.2 Data at Rest

All sensitive data stored in our systems is encrypted:

• Database Encryption: PostgreSQL databases use encryption at rest with AES-256 encryption
• File Storage: Files uploaded to AWS S3 (profile pictures, documents, media) are encrypted using S3 server-side encryption (AES-256)
• Password Security: User passwords are hashed using Argon2id, a memory-hard password hashing algorithm resistant to brute-force attacks
• Sensitive Field Encryption: Payment details, API keys, and other sensitive fields are encrypted at the application level using industry-standard encryption libraries
• Backup Encryption: All database backups and snapshots are encrypted and stored securely

2.3 Key Management

• Encryption keys are stored separately from encrypted data
• Key rotation policies are enforced for all encryption keys
• Access to encryption keys is restricted and audited
• We use AWS Key Management Service (KMS) for secure key storage and management

3. Infrastructure Security

3.1 Cloud Infrastructure

Our production infrastructure is deployed on enterprise-grade cloud platforms:

• Hetzner Cloud: Production application servers hosted on dedicated CCX instances with AMD EPYC processors
• Upstash: Redis caching and PubSub infrastructure with global replication
• AWS Services: S3 for file storage, SES for email delivery, all configured with security best practices
• Network Isolation: Multi-tenant data is logically isolated at the application and database levels

3.2 Network Security

• Firewall Configuration: Strict firewall rules allow only necessary ports and protocols
• DDoS Protection: Infrastructure includes DDoS mitigation at the network edge
• Load Balancer Security: Hetzner Load Balancers with SSL termination and health check monitoring
• Private Networking: Database servers communicate over private networks, not exposed to public internet
• IP Whitelisting: Administrative access restricted to authorized IP addresses

3.3 Server Security

• Operating systems kept up-to-date with security patches
• Automated security updates for critical vulnerabilities
• Minimal software installation following principle of least privilege
• SSH key-based authentication only; password authentication disabled
• Regular security audits and penetration testing

3.4 Database Security

• PostgreSQL Hardening: Production databases configured with security best practices
• Streaming Replication: High-availability setup with automatic failover
• Access Control: Database access restricted to application servers only
• Regular Backups: Automated encrypted backups with point-in-time recovery capability
• SQL Injection Prevention: All queries use parameterized statements via Ecto

4. Application Security

4.1 Secure Development Lifecycle

Security is integrated throughout our software development process:

• Security Requirements: Security considerations included from initial product design
• Code Review: All code changes undergo peer review before deployment
• Static Analysis: Automated security scanning integrated into CI/CD pipelines
• Dependency Scanning: Regular audits of third-party libraries for known vulnerabilities
• Security Testing: Regular penetration testing and vulnerability assessments

4.2 Authentication & Authorization

• JWT Authentication: JSON Web Tokens with short expiration times (15 minutes)
• Refresh Token Rotation: Secure refresh token mechanism for long-lived sessions
• Multi-Factor Authentication (MFA): Available for admin and super_admin accounts
• Role-Based Access Control (RBAC): Granular permissions system with three role levels (user, admin, super_admin)
• Permission Caching: ETS-based permission caching for performance with automatic invalidation

4.3 Input Validation & Sanitization

• All user inputs validated and sanitized on both client and server side
• Protection against XSS (Cross-Site Scripting) attacks via content security policies
• CSRF (Cross-Site Request Forgery) protection on all state-changing operations
• Rate limiting on API endpoints to prevent abuse
• File upload validation (type, size, content verification)

4.4 API Security

• Authentication Required: All API endpoints require valid JWT tokens
• CORS Configuration: Strict Cross-Origin Resource Sharing policies
• Rate Limiting: Request throttling to prevent API abuse
• Tenant Isolation: Automatic tenant_id scoping on all multi-tenant queries
• API Versioning: Structured versioning to maintain security across updates

5. Access Control & Authentication

5.1 Internal Access Controls

• Principle of Least Privilege: Employees granted minimum access necessary for their role
• Role-Based Access: Internal systems use role-based access control
• Access Reviews: Quarterly reviews of employee access permissions
• Immediate Revocation: Access terminated immediately upon employee departure
• Audit Logging: All administrative actions logged and monitored

5.2 Production Access

• Production system access restricted to authorized DevOps personnel
• All production access requires MFA authentication
• SSH access via bastion hosts with audit logging
• No direct database access; changes via migration scripts only
• Emergency access procedures with executive approval

5.3 Customer Data Access

• Customer data access logged and monitored
• Access only granted for legitimate support purposes with customer consent
• Support staff cannot view passwords (hashed and salted)
• Sensitive financial data masked in support interfaces

6. Incident Response

6.1 Incident Response Team

Essa Technologies maintains a dedicated security incident response team available 24/7 to handle security events. Our team follows a structured incident response process based on industry best practices.

6.2 Incident Response Process

1. Detection & Identification: Automated monitoring and manual reporting channels
2. Containment: Immediate action to contain and limit impact
3. Investigation: Root cause analysis and scope determination
4. Eradication: Remove threat and close security gaps
5. Recovery: Restore normal operations with enhanced controls
6. Post-Incident Review: Lessons learned and process improvements

6.3 Breach Notification

In the unlikely event of a security breach affecting personal data, we will:

• Notify affected customers within 72 hours of discovery
• Comply with all applicable data breach notification laws
• Provide detailed information about the nature and scope of the breach
• Offer guidance on protective measures customers can take
• Report incidents to relevant regulatory authorities as required

7. Vulnerability Disclosure Policy

7.1 Responsible Disclosure

We encourage security researchers and users to report potential vulnerabilities responsibly. We are committed to working with the security community to verify and address security issues quickly.

7.2 Reporting Guidelines

When reporting a vulnerability, please include:

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity assessment
• Any proof-of-concept code (if applicable)
• Your contact information for follow-up

7.3 Our Commitment

• Acknowledgment: We will acknowledge your report within 24 hours
• Investigation: We will investigate and validate the reported issue within 5 business days
• Resolution: Critical vulnerabilities will be patched within 7 days; others based on severity
• Recognition: With your permission, we will publicly acknowledge responsible reporters
• No Legal Action: We will not pursue legal action against researchers acting in good faith

7.4 Out of Scope

The following are generally not considered security vulnerabilities:

• Issues requiring physical access to a user's device
• Social engineering attacks against our employees
• Denial of Service attacks
• Issues affecting outdated or unsupported browsers
• Best practice recommendations without exploitable vulnerabilities

8. Compliance & Certifications

8.1 Legal Compliance

Essa Technologies complies with applicable data protection and security regulations:

• Indian IT Act 2000: Full compliance with Information Technology Act and Rules
• DPDP Act 2023: Digital Personal Data Protection Act compliance framework implemented
• GDPR Awareness: General Data Protection Regulation principles followed for EU customers
• PCI-DSS: Payment processing via PCI-DSS Level 1 compliant provider (Razorpay)

8.2 Industry Standards

Our security practices align with recognized industry frameworks:

• OWASP Top 10 security vulnerabilities addressed
• CIS (Center for Internet Security) benchmarks followed for server hardening
• NIST Cybersecurity Framework principles applied
• ISO 27001 security controls implemented

8.3 Third-Party Audits

• Regular security assessments by independent security firms
• Penetration testing conducted annually
• Vulnerability assessments performed quarterly
• Cloud infrastructure security reviews

9. Employee Security Training

9.1 Security Awareness Program

All Essa Technologies employees undergo comprehensive security training:

• Onboarding Training: Security fundamentals for all new hires
• Ongoing Education: Quarterly security awareness training sessions
• Phishing Simulations: Regular testing to maintain vigilance
• Incident Response Training: Procedures for identifying and reporting security issues
• Data Handling: Proper handling of customer data and confidential information

9.2 Developer Security Training

Development team members receive specialized training:

• Secure coding practices and common vulnerabilities (OWASP Top 10)
• Application security testing techniques
• Cryptography and key management best practices
• Security code review processes
• Framework-specific security features (Phoenix, Next.js)

9.3 Background Checks

• Background verification for employees with access to sensitive systems
• Confidentiality and non-disclosure agreements signed by all employees
• Clear desk and screen policies enforced

10. Third-Party Security

10.1 Vendor Security Assessment

All third-party service providers undergo security evaluation:

• Security questionnaires and due diligence reviews
• Evaluation of vendor security certifications and compliance
• Data processing agreements with strong security clauses
• Regular vendor risk assessments

10.2 Key Third-Party Providers

• Hetzner Cloud: ISO 27001 certified data center infrastructure
• AWS: SOC 2, ISO 27001, PCI-DSS certified services (S3, SES)
• Upstash: Enterprise-grade Redis with encryption and compliance
• Razorpay: PCI-DSS Level 1 certified payment processor

10.3 Open Source Security

• Regular audits of open-source dependencies using automated tools
• Prompt updates for libraries with disclosed vulnerabilities
• License compliance and risk assessment
• Contribution to security of open-source projects we depend on

11. Security Monitoring & Auditing

11.1 Continuous Monitoring

Our security operations include 24/7 monitoring:

• Application Monitoring: Real-time application performance and error tracking
• Infrastructure Monitoring: Server health, network traffic, and resource utilization
• Security Events: Failed login attempts, unusual access patterns, API abuse
• Database Monitoring: Query performance, connection anomalies, replication status
• Uptime Monitoring: Service availability and response time tracking

11.2 Audit Logging

• Comprehensive logging of all security-relevant events
• Audit trails for authentication, authorization, and data access
• Administrative action logging
• Log retention for minimum 90 days (critical logs for 1 year)
• Logs stored securely with tamper protection

11.3 Alerting & Response

• Automated alerts for security events and anomalies
• Escalation procedures for critical security incidents
• On-call security team for after-hours incidents
• Integration with incident management systems

11.4 Regular Security Reviews

• Code Security Reviews: Regular reviews of security-critical code
• Architecture Reviews: Security assessment of new features and changes
• Access Reviews: Quarterly review of system and data access
• Security Metrics: Tracking and reporting on security KPIs

12. Contact Security Team

For security-related inquiries, vulnerability reports, or to report a security incident, please contact our dedicated security team:

Security Contact Information

• Email: security@essatechnologies.in
• Response Time: We acknowledge all security reports within 24 hours
• Escalation: Critical issues escalated to executive team immediately

General Contact

• General Inquiries: info@essatechnologies.in
• Privacy Questions: privacy@essatechnologies.in
• Legal Questions: legal@essatechnologies.in
• Phone: +91 9745236599

Company Information

Essa Technologies Pvt Ltd
Kerala, India
essatechnologies.in