Security

Enterprise-grade security.
India-first compliance.

Built from the ground up for DPDP 2023, with JWT auth, bcrypt passwords, row-level tenant isolation, and encrypted offline storage.

Authentication

JWT HS256 tokens with a 2-hour expiry and secure refresh-token rotation. Passwords are hashed with bcrypt (cost factor 12), API keys are bcrypt-hashed before storage, and enumerator sessions time out after 30 minutes of inactivity.

DPDP 2023 Compliance

Every form carries a consent-tracking field and a purpose declaration, all data changes are written to full audit logs, and a data-erasure endpoint anonymizes data_json on request — built end-to-end for India's Digital Personal Data Protection Act 2023.

Offline Security

Offline data lives in the browser's OPFS (Chrome/Android) or IndexedDB (Safari/iOS) — never in localStorage or plain cookies. It is bound to its origin and inaccessible to other sites, syncs over HTTPS with TLS 1.3, and is never written to disk unencrypted.

Access Control

A 4-tier role hierarchy (master_admin → org_admin → supervisor → enumerator) with tenant isolation enforced by SQLAlchemy row-level security on every query. Enumerators see only their assigned forms, supervisors only their tenant's submissions, and cross-tenant leakage is blocked at the database layer.

Media Security

Photos and audio are stored on private VPS storage — not in public cloud buckets or S3 public URLs. Downloads use presigned URLs with a short TTL, filenames carry a non-guessable UUID, and files sit outside the web root so they can't be browsed directly.

Audit Trail

Every status change (flag / approve / reject) is logged with a timestamp, actor ID, and previous state. The submission-history panel is visible to supervisors, entries are append-only and non-repudiable, and the full log exports alongside submission data.

Common security questions

Where is data stored?

All submission data is stored on an India-based VPS. We do not use third-party cloud databases (AWS RDS, Google Cloud SQL, etc.). Media files (photos, audio) are stored on private server storage — not in public S3 buckets or CDN.

Can enumerators see each other's data?

No. Row-level security is enforced at the SQLAlchemy query layer — every database query includes a tenant_id filter. Additionally, enumerators can only see forms assigned to them and their own submitted records. Supervisors can see all submissions within their organization only.

How do I delete respondent data?

FieldGovern provides a DPDP-compliant erasure endpoint. When called, it anonymizes the data_json field for a given submission — replacing identifiable fields with null values while preserving the submission record for audit purposes. The action is logged in the audit trail with actor and timestamp.

What happens to data stored offline on an enumerator's device?

Offline data is stored in the browser's OPFS (Chrome/Android) or IndexedDB (Safari/iOS). These are sandboxed storage APIs — other websites cannot access them. When the enumerator syncs, data is transmitted over HTTPS and then cleared from local storage. If a device is lost before sync, only locally-captured unsynced records are at risk.

Are API keys stored securely?

Yes. API keys are bcrypt-hashed before storage — the plaintext key is shown once at creation and never stored. This means even a database breach would not expose usable API keys. Keys can be revoked instantly from the Org Admin panel.

Built with security from day one.

Questions about compliance or data residency? Talk to us.

Contact Us →