At MoveTara, we take the security of your data seriously. As a B2B SaaS platform managing sensitive hostel operations, tenant records, and financial data, we implement industry-standard security measures to protect your information. This page describes our security practices and infrastructure.

1. Infrastructure Security

2. Authentication & Access Control

Security Measure	Implementation
OTP authentication	Mobile OTP verification via SMS — one-time codes expire after use, never stored permanently
MPIN storage	MPIN codes are stored as cryptographic hashes — never stored in plaintext
Session management	JWT-based authentication tokens with automatic expiry and refresh rotation
Role-based access (RBAC)	Strict role separation: Owner, Warden, Tenant — each role can only access authorized data
Row-Level Security (RLS)	Database enforces row-level security policies — users can only query their own data
API authorization	Every API request is authenticated and authorized before processing

3. Application Security

• Input validation: All user inputs are validated and sanitized on both client and server side to prevent injection attacks
• SQL injection prevention: All database queries use parameterized statements — no raw SQL concatenation
• XSS protection: React framework provides built-in XSS protection; all outputs are escaped
• CSRF protection: API requests are authenticated via bearer tokens, eliminating CSRF vulnerabilities
• Rate limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse
• Dependency security: Third-party dependencies are regularly audited for known vulnerabilities

4. Data Protection

• Data isolation: Each hostel's data is logically isolated — owners cannot access other owners' data
• Minimal data collection: We collect only the data necessary to provide the Service
• No data selling: We never sell, rent, or share your data with third parties for marketing
• Data retention: Deleted accounts have data permanently removed within 30 days
• Backup encryption: All database backups are encrypted and access-controlled

5. Operational Security

• Access control: Production database access is restricted to authorized MoveTara personnel only
• Least privilege: Team members are granted minimum necessary access for their role
• Code review: All code changes undergo peer review before deployment to production
• Secure development: We follow OWASP Top 10 guidelines in our development practices
• Incident response: We have documented incident response procedures for security events

6. Mobile App Security

• Authentication via mobile OTP — no passwords stored on device
• MPIN provides an additional layer of app-level access control
• Push notification tokens are unique per device and revocable
• App communicates exclusively over HTTPS — no plaintext communication
• APK is signed with a private release key to prevent tampering

7. Compliance

Regulation	Status
Information Technology Act, 2000 (India)	Compliant — reasonable security practices implemented per IT Rules 2011
Digital Personal Data Protection Act, 2023 (India)	Compliant — data processing with consent, Grievance Officer appointed, deletion rights honored
OWASP Top 10	Followed — application security best practices implemented

8. Responsible Disclosure

If you discover a security vulnerability in the MoveTara platform, we encourage you to report it responsibly. Please email us at security@movetara.com with details of the vulnerability. We request that you:

• Do not publicly disclose the vulnerability until we have addressed it
• Do not access or modify other users' data during your investigation
• Provide sufficient detail for us to reproduce and fix the issue

We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 14 days.