Photo verification for regulated industries demands security that goes beyond checkboxes. Every layer of Vashix — from device hardware to cloud storage — is engineered for tamper resistance and auditability.
Every photo captured through the Vashix SDK is signed using a private key generated inside the device's secure hardware. The key is protected from export by the device's security architecture. This provides strong cryptographic evidence that a photo was captured on a specific physical device.
All data is encrypted in transit and at rest. Encryption keys are managed securely. Access to customer data requires audited, time-limited access grants.
Every Vashix capture embeds C2PA 2.1 content credentials — an open standard for content provenance. These credentials create a tamper-evident chain from capture to claim review. Any modification to the photo after capture invalidates the credential, providing an independent verification layer beyond Vashix trust scores.
Every API request is authenticated, authorised, and logged. There are no trusted internal networks. Service-to-service communication uses mutual TLS. API keys are scoped per environment and per permission. Role-based access control enforces the principle of least privilege across the dashboard and API.
Migration to India-only data residency is in progress.
All connections encrypted in transit with modern protocols. HSTS headers enforced.
All personal data, photos, and metadata encrypted at rest and in transit.
Production workloads run in isolated environments with traffic inspection and DDoS protection.
Role-based access control on all systems. All production access is time-limited and logged.
Every API call, dashboard action, and system event is logged with timestamp, IP, and authenticated user. Logs retained minimum 1 year per DPDP Rules 2025.
Automated daily backups with point-in-time recovery. Backups encrypted and stored within Mumbai region. 99.9% uptime SLA on Enterprise plans.
Automated vulnerability scanning on every deployment. Dependency audit for known CVEs. Critical vulnerabilities patched within 24 hours.
Incorporates features referenced in DPDP Rules 2025, including consent management, data erasure, and breach notification tooling.
Planned. Covers security, availability, and confidentiality trust service criteria.
Information Security Management System certification on roadmap. Timeline to be confirmed.
Implements the Coalition for Content Provenance and Authenticity (C2PA) standard version 2.1 for digital content provenance.
Captures generate certificates that include device identity, GPS coordinates, timestamps, and cryptographic signatures — information referenced in Section 63 of the Bharatiya Sakshya Adhiniyam, 2023. These certificates may be submitted as supporting evidence. Admissibility is always determined by the court on a case-by-case basis.
We take security vulnerabilities seriously. If you believe you have found a security vulnerability in the Vashix platform, we encourage you to report it responsibly. We will work with you to understand and address the issue promptly.
The following systems are in scope for security research under our responsible disclosure policy:
Out of scope: Social engineering attacks on Vashix employees, physical attacks, denial of service attacks, and third-party services (e.g., Google Cloud, Razorpay) are not in scope. Please report vulnerabilities in those systems directly to their respective security teams.
For security-related inquiries, vulnerability reports, or to request our security documentation package (available to customers and prospects under NDA), contact our security team.
PGP key available on request for encrypted communication.