Security

DentsKart is built on Supabase, which runs on Amazon Web Services (AWS). Our database and file storage are hosted in the AWS Asia-Pacific (Singapore) region (ap-southeast-1), ensuring low latency for users across India.

Supabase provides a fully managed PostgreSQL database with automatic scaling, built-in connection pooling, and enterprise-grade reliability. AWS data centers maintain SOC 2 Type II, ISO 27001, and ISO 27017 certifications.

Our application is deployed on Vercel's edge network with automatic failover and global CDN distribution, ensuring high availability and fast page loads across India.

All data at rest is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies worldwide.

All data in transit between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not support legacy, insecure protocols.

Database backups are encrypted using separate encryption keys managed by AWS Key Management Service (KMS).

File uploads (X-rays, patient photos, documents) are stored in Supabase Storage with server-side encryption enabled by default.

We use Supabase Auth for secure identity management. Authentication is handled via industry-standard JSON Web Tokens (JWTs) with short expiration times and automatic refresh.

Supported authentication methods include email/password with strong password requirements, and OTP (One-Time Password) based login via email.

Session tokens are stored securely using HTTP-only cookies with Secure and SameSite flags to prevent XSS and CSRF attacks.

Failed login attempts are rate-limited to prevent brute-force attacks. Accounts are temporarily locked after multiple failed attempts.

Every database table in DentsKart is protected by PostgreSQL Row-Level Security (RLS) policies. This is the cornerstone of our multi-tenant data isolation strategy.

RLS policies ensure that every database query is automatically filtered to return only data belonging to the authenticated user's clinic. This enforcement happens at the database level, not the application level, making it impossible to bypass through application bugs.

Each clinic's data is completely isolated from every other clinic. A user from Clinic A can never access, view, modify, or delete data belonging to Clinic B, regardless of the API endpoint or query used.

Role-based access controls (Owner, Dentist, Receptionist) further restrict data access within a clinic. For example, receptionists may have limited access to clinical notes compared to dentists.

We implement comprehensive HTTP security headers to protect against common web vulnerabilities:

Strict-Transport-Security (HSTS): Forces browsers to always use HTTPS connections, with a max-age of one year and includeSubDomains directive.

Content-Security-Policy (CSP): Restricts which resources (scripts, styles, images) can be loaded, preventing cross-site scripting (XSS) attacks.

X-Content-Type-Options: nosniff prevents browsers from MIME-type sniffing, reducing the risk of drive-by downloads.

X-Frame-Options: DENY prevents the application from being embedded in iframes, protecting against clickjacking attacks.

Referrer-Policy: strict-origin-when-cross-origin limits information shared in HTTP referrer headers.

Permissions-Policy restricts access to browser features like camera, microphone, and geolocation to only contexts where they are needed.

All payment processing is handled by Razorpay, India's leading payment gateway. Razorpay is PCI-DSS Level 1 compliant, the highest level of certification available in the payments industry.

We never store credit card numbers, CVVs, or complete card details on our servers. All sensitive payment data is tokenized and handled entirely within Razorpay's secure infrastructure.

Payment pages and checkout flows are served directly by Razorpay, ensuring your financial data never passes through our application servers.

Razorpay undergoes regular security audits and penetration testing by independent third-party firms.

DentsKart uses the official Meta WhatsApp Cloud API for all WhatsApp-based communications. We do not use unofficial third-party WhatsApp providers or grey-route services.

The official Cloud API ensures compliance with Meta's Business Policy, WhatsApp Commerce Policy, and applicable data protection regulations.

WhatsApp messages are end-to-end encrypted by the WhatsApp protocol. Message templates are pre-approved by Meta to prevent spam and ensure quality.

Clinics must obtain patient consent before sending WhatsApp messages. Patients can opt out of WhatsApp communications at any time by replying STOP.

Automated daily backups are performed with point-in-time recovery (PITR) capabilities, allowing data restoration to any point within the backup retention window.

Backups are stored in geographically separate AWS availability zones to protect against regional outages or disasters.

All backups are encrypted at rest using AWS KMS-managed encryption keys.

We conduct regular backup restoration tests to verify data integrity and recovery procedures.

Our Recovery Point Objective (RPO) is less than 24 hours, and our Recovery Time Objective (RTO) is less than 4 hours for critical systems.

We maintain a documented incident response plan that covers identification, containment, eradication, recovery, and post-incident analysis.

Security incidents are classified by severity level, with critical incidents triggering immediate response from our engineering team.

In the event of a data breach, we will notify affected users and the Data Protection Board of India in accordance with the Digital Personal Data Protection Act, 2023.

We conduct post-incident reviews for all security events to identify root causes and implement preventive measures.

Users are notified via email and in-app notifications about any security incidents that may affect their data.

We welcome responsible security researchers to report vulnerabilities they discover in our platform.

If you discover a security vulnerability, please report it to support@dentskart.com with the subject line "Security Vulnerability Report." Please include a detailed description of the vulnerability, steps to reproduce, and potential impact.

We ask that you give us reasonable time (at least 90 days) to investigate and address the vulnerability before any public disclosure.

We will not take legal action against researchers who report vulnerabilities in good faith and comply with this responsible disclosure policy.

We acknowledge all valid vulnerability reports and will keep you informed of our progress in addressing the issue.

DentsKart is committed to continuously improving our security posture. Our compliance roadmap includes:

SOC 2 Type II Certification: We are actively working towards SOC 2 Type II certification, which will provide independent third-party validation of our security controls, availability, processing integrity, confidentiality, and privacy practices.

ISO 27001: We are building our Information Security Management System (ISMS) aligned with ISO 27001 standards, with certification planned as we scale.

DPDP Act Compliance: We are fully committed to compliance with India's Digital Personal Data Protection Act, 2023, and continuously update our practices as implementation rules are published.

Regular Penetration Testing: We conduct periodic security assessments and penetration testing by independent security firms to identify and address vulnerabilities proactively.

Security Awareness Training: All team members undergo regular security awareness training to maintain a security-first culture.