Security

Klaro runs on industry-standard cloud infrastructure managed by Project91 Advance Technologies Private Limited. Production application servers and databases live in a private network; only a load balancer is exposed to the public internet. Data is encrypted at rest and in transit.

All traffic to theklaro.com is served over HTTPS with modern TLS. HSTS is enabled. Webhooks from payment processors (Razorpay, Stripe) are verified with HMAC signatures before they touch domain logic.

• Passwords are hashed with Argon2id (memory-hard, side-channel resistant).
• Sessions are JWTs scoped to your account, issued by NextAuth with a short refresh window.
• Password resets are single-use, time-bounded tokens hashed in our database (only the hash is stored).
• Anti-enumeration responses on login, signup, and forgot-password so attackers can't learn whether an email is registered.

We never see or store full card numbers. Razorpay (in India) and Stripe (international) are PCI-DSS Level 1 service providers; cards are tokenised by them and we hold only the resulting subscription/customer IDs.

Outbound and inbound WhatsApp messages are routed through a licensed WhatsApp Business Solution Provider over an authenticated API. Provider credentials live in the application secret store and are scoped to a single platform-admin role. Each customer workspace has its own assigned WhatsApp number; numbers are not shared across customer messages within Klaro.

Every domain query in Klaro is gated by a tenancy check that resolves the requester's membership before any company data is read or written. Platform-admin overlays are flagged (`isStaff`) so audit trails record their actions but customer- facing surfaces hide them.

Postgres is backed up on a rolling schedule with point-in-time recovery. Backups are encrypted and stored in a separate cloud region from the primary database.

Production access is limited to authorised Project91 Advance Technologies Private Limited staff using SSH key authentication. Access is reviewed quarterly. We follow least-privilege for all internal tooling.

If you discover a vulnerability, we want to hear from you. Email security@theklaro.com with reproduction steps and your contact preferences. We commit to acknowledging within 3 working days, keeping you informed, and crediting reporters where appropriate.

If we discover a security incident affecting your workspace, we notify the workspace admin without undue delay (and within regulatory timelines where they apply). Status updates for ongoing incidents appear on /status.