Security at GetKhojo
Security is foundational to everything we build. Because GetKhojo's tools scan and analyse sensitive infrastructure, we hold ourselves to the same standards we help our customers meet. Below is a transparent overview of how we protect your data, our platform, and the results of every scan you run.
Our Security Practices
Encryption
TLS 1.3 in transit · AES-256 at rest · Bcrypt password hashing · HTTPS-only enforced.
Infrastructure
AWS cloud (Mumbai region) · Isolated network · Regular security patches · DDoS protection.
Access Control
Email-based magic-link auth · KYC verification · Rate limiting · Audit logs.
Monitoring
24/7 system monitoring · Automated threat detection · Incident response · Regular audits.
Data Handling & Compliance
Scan data is processed only to generate your report and is never sold or shared with third parties. Findings are stored against your account so you can revisit and compare them over time, and you can request export or deletion of your data at any point through our Privacy Policy process. Payment details are handled entirely by our PCI-DSS-compliant payment provider — GetKhojo never stores raw card numbers on its servers.
Our reporting maps findings to recognised frameworks including the OWASP Top 10, PCI DSS, and ISO 27001, so the output is directly usable in your own audits. We follow the principle of least privilege internally: access to production systems and customer data is restricted, logged, and reviewed.
Responsible Disclosure
Report a Security Issue
Found a vulnerability? Email security@getkhojo.com with clear steps to reproduce. We acknowledge reports promptly, keep you updated as we investigate, and credit researchers who report issues responsibly. Please give us reasonable time to remediate before any public disclosure.
