Security is built into Branova Projects from the ground up.
1. Data isolation
Strict multi-tenancy — every query is scoped by organization (org_id), so tenants can never read each other's data.
2. Authentication
- Passwords are hashed with bcrypt; we never store plaintext.
- Sessions use HttpOnly, SameSite cookies and are regenerated on login.
- Login and password-reset endpoints are rate-limited to resist brute force.
3. Transport & headers
All traffic is served over HTTPS. We send X-Content-Type-Options, X-Frame-Options and Referrer-Policy headers, and enforce a same-origin (CSRF) guard on all state-changing requests.
4. Payments
Card data is processed entirely by Razorpay (PCI-DSS compliant). Webhooks are verified by HMAC signature.
5. Access control
Role-based permissions (Owner, Administrator, Manager, Member, Viewer, Guest) govern every action, and an audit log records changes.
6. Reporting a vulnerability
Found an issue? Email projects@branova.in with details. We appreciate responsible disclosure and will respond promptly.
