Skip to main content

Security Policy

How we protect your data, code, and confidential information.

Last updated: January 2026

Security is foundational to our work. Whether we're reviewing your systems, writing code, or advising on architecture, we apply enterprise-grade security practices to protect your data and intellectual property.

Our Security Commitment

We treat your data and code as if it were our own production systems. Confidentiality, integrity, and availability are non-negotiable in every engagement.

Data Protection

Encryption

  • All data in transit is encrypted using TLS 1.3
  • Data at rest is encrypted using industry-standard algorithms (AES-256)
  • Client code repositories use SSH keys or secure HTTPS connections
  • Sensitive credentials are stored in encrypted vaults (never in plaintext)

Access Control

  • Principle of least privilege: access only to what's necessary
  • Multi-factor authentication (MFA) required for all team accounts
  • Role-based access control (RBAC) for client systems
  • Access is revoked immediately when engagements end

Data Retention

  • Client data is retained only as long as necessary for service delivery
  • Source code and credentials are deleted after project completion (unless otherwise agreed)
  • Audit logs retained for compliance purposes (typically 12 months)
  • You can request data deletion at any time

Backup & Recovery

  • Regular encrypted backups of work in progress
  • Version control for all code with commit signing
  • Disaster recovery procedures documented and tested
  • Backups stored in geographically distributed locations

Secure Development Practices

When we write code or implement systems for you:

  • Code is reviewed for security vulnerabilities before delivery
  • Dependencies are scanned for known CVEs (Common Vulnerabilities and Exposures)
  • Secrets and API keys are never committed to version control
  • Security best practices follow OWASP guidelines
  • Infrastructure as Code (IaC) is validated for security misconfigurations
  • Penetration testing available for critical applications

Confidentiality

Your business information, architecture diagrams, code, and strategic plans are confidential by default:

  • All team members sign NDAs before accessing client systems
  • Client projects are isolated from each other (no shared infrastructure)
  • We do not discuss your systems, challenges, or solutions publicly without permission
  • Case studies require explicit written consent
  • Communication channels use end-to-end encryption where possible

Infrastructure Security

Our own systems follow enterprise security standards:

  • Cloud infrastructure hosted on trusted providers (AWS, GCP, Cloudflare)
  • Regular security patches and updates
  • Intrusion detection and monitoring
  • DDoS protection and WAF (Web Application Firewall)
  • Isolated development, staging, and production environments
  • Security audits conducted annually

Third-Party Services

When we recommend or integrate third-party tools:

  • We evaluate their security posture and compliance certifications
  • We review their data handling and privacy policies
  • We prefer vendors with SOC 2, ISO 27001, or equivalent certifications
  • API keys and integrations use scoped permissions (not full access)

Incident Response

In the unlikely event of a security incident:

  • We will notify affected clients within 24 hours
  • Incidents are investigated, documented, and remediated immediately
  • Root cause analysis and prevention measures are implemented
  • We cooperate fully with any required regulatory reporting

Compliance

We design systems and handle data in compliance with:

  • India: IT Act 2000, DPDP Act 2023 (Digital Personal Data Protection)
  • International: GDPR (where applicable for EU clients)
  • Industry Standards: OWASP Top 10, CIS Benchmarks, NIST guidelines

Vulnerability Disclosure

If you discover a security vulnerability on our website or systems:

  • Email us immediately at support@emizhi.com
  • Provide details about the vulnerability (steps to reproduce, impact)
  • Allow us reasonable time to investigate and fix the issue before public disclosure
  • We will acknowledge and respond within 48 hours

Your Responsibilities

Security is a shared responsibility. We ask that you:

  • Provide access credentials securely (never via email or unsecured channels)
  • Inform us immediately if credentials may have been compromised
  • Revoke access promptly when our engagement ends
  • Follow security recommendations we provide during audits or advisory work

Security Questions or Concerns?

If you have questions about our security practices or need to report a concern:

Security Team: support@emizhi.com

General Inquiries: sales@emizhi.com

Privacy Matters: Privacy Policy

Chat on WhatsApp