Security

Security at GetKhojo

Security is foundational to everything we build. Because GetKhojo's tools scan and analyse sensitive infrastructure, we hold ourselves to the same standards we help our customers meet. Below is a transparent overview of how we protect your data, our platform, and the results of every scan you run.

Our Security Practices

Encryption

TLS 1.3 in transit · AES-256 at rest · Bcrypt password hashing · HTTPS-only enforced.

Infrastructure

AWS cloud (Mumbai region) · Isolated network · Regular security patches · DDoS protection.

Access Control

Email-based magic-link auth · KYC verification · Rate limiting · Audit logs.

Monitoring

24/7 system monitoring · Automated threat detection · Incident response · Regular audits.

Data Handling & Compliance

Scan data is processed only to generate your report and is never sold or shared with third parties. Findings are stored against your account so you can revisit and compare them over time, and you can request export or deletion of your data at any point through our Privacy Policy process. Payment details are handled entirely by our PCI-DSS-compliant payment provider — GetKhojo never stores raw card numbers on its servers.

Our reporting maps findings to recognised frameworks including the OWASP Top 10, PCI DSS, and ISO 27001, so the output is directly usable in your own audits. We follow the principle of least privilege internally: access to production systems and customer data is restricted, logged, and reviewed.

Responsible Disclosure

Report a Security Issue

Found a vulnerability? Email security@getkhojo.com with clear steps to reproduce. We acknowledge reports promptly, keep you updated as we investigate, and credit researchers who report issues responsibly. Please give us reasonable time to remediate before any public disclosure.