Your data is locked, watched, and yours.

Lumara runs on AWS in the India region (ap-south-1). Each tenant's database schema is logically isolated; production data never leaves India.

• Network: VPC with private subnets, no public DB endpoints, AWS WAF + CloudFront on the edge.
• Compute: Containerised Node 20 LTS app servers behind an ALB with HTTPS-only listeners.
• Database: PostgreSQL 16 (RDS) with row-level tenant isolation enforced at the application layer and a row-level secondary check in queries.
• File storage: Encrypted S3 buckets, signed URLs only (no public objects).

Every byte of customer data is encrypted twice over:

• In transit: TLS 1.3 for all HTTP traffic. HSTS preload enabled. Internal service-to-service traffic also TLS-encrypted via mTLS.
• At rest: AES-256 on the database (RDS managed keys via AWS KMS), AES-256 on file storage (S3 server-side encryption). Backups are encrypted with separate KMS keys.
• Secrets: Stored in AWS Secrets Manager, rotated automatically every 90 days.

Inside your tenant, you control who sees what via the role-based access system: Admin, Sales Manager, Sales Executive, Production Manager, Factory Operator, Installer, and Accounts. Each role gets only the screens and actions they need.

On the DataCaffe side:

• Every team member uses Google Workspace SSO with mandatory hardware-backed 2FA (YubiKey or equivalent).
• Production access is granted via short-lived, audited sessions through a bastion host. No engineer has persistent shell access to prod.
• Database access for support is gated behind a tool that records every query against an internal audit log, mapped to the engineer's identity.

Every state change inside your tenant — every quote sent, order created, invoice issued, payment recorded, fitter photo uploaded, Tally sync attempted — is captured in an immutable audit log with the actor's identity, timestamp, before/after JSON, request ID, and IP.

Audit entries are append-only at the database level. They cannot be modified by application code, the tenant admin, or by us. Retention is 30 days on Starter, 90 days on Atelier, up to 7 years on Maison (configurable per tenant).

Database snapshots run daily and are retained per your plan (30 / 90 / 365+ days). Point-in-time recovery covers the last 7 days at 5-minute granularity for every tenant.

Files are versioned in S3 with cross-AZ replication. Our internal target for full disaster recovery — rebuilding from cold backup into a new AWS account — is 4 hours; we drill this quarterly.

Tenant-initiated exports are available any time as PDF + CSV bundles through the in-product Settings → Data Export panel.

We're honest about where we are: a v1 product from a young startup. Here is our actual compliance posture today, not aspirational badges:

• DPDP Act, 2023 (India): Fully compliant. DPO appointed. Data residency in India.
• GST tax compliance: Invoicing under Maharashtra GSTIN; the product correctly handles CGST/SGST/IGST and HSN codes for the window-coverings sector.
• ISO 27001: Internal controls aligned to the standard; formal certification targeted Q4 2026.
• SOC 2 Type II: Targeted Q2 2027 once the audit-log + access-control work has been operating continuously for 12 months.

If a security incident affects your tenant:

• Detection: Within 1 hour via automated monitoring (24×7), or the moment a report comes in via security@datacaffe.in.
• Containment: Within 4 hours — isolate, freeze affected systems, preserve forensic evidence.
• Notification: Within 24 hours to the affected tenant admin(s) by email and phone, regardless of severity. Within 72 hours to the Data Protection Board of India for incidents that meet DPDP Act §8 thresholds.
• Post-mortem: Within 14 days, a written incident report shared with the affected tenant — what happened, what we did, what we'll change to prevent it.

We commission an independent penetration test annually (next scheduled: October 2026). Reports are shareable under NDA on request.

For responsible disclosure of security issues, please email security@datacaffe.in. We acknowledge reports within 24 hours and aim to remediate critical issues within 7 days. We don't yet run a paid bug bounty programme; we do publicly thank reporters (with consent) on this page.

security@datacaffe.in — monitored 24×7 by an on-call engineer with auto-escalation to a co-founder if not acknowledged within 30 minutes.

PGP public key, security.txt, and the most recent third-party penetration test executive summary are available on request.