Security

Security is foundational to how we build and operate Neriyam. This page describes the technical and organizational measures we use to protect your data.

Infrastructure

• Hosting — Neriyam runs on professional cloud infrastructure with industry-standard physical and operational security.
• Network isolation — Application servers and database servers are isolated; databases are not directly accessible from the public internet.
• TLS everywhere — All connections to Neriyam (web, API, docs) use TLS 1.2 or higher with strong cipher suites.
• DDoS protection — Our edge providers offer DDoS mitigation and rate limiting.

Application security

• Authentication — Passwords are hashed using industry-standard algorithms (bcrypt or equivalent). We never store plaintext passwords.
• Session management — Sessions are signed and time-limited. Sensitive actions may require re-authentication.
• Multi-organization data isolation — Each organization's data is isolated at the application and database level. Organization access is verified on every request.
• Role-based access control — Within an organization, every action is checked against the user's permissions.
• Input validation — All inputs are validated server-side; outputs are escaped to prevent injection attacks.
• Dependency management — We track and update third-party dependencies regularly to patch known vulnerabilities.

Data security

• Encryption in transit — TLS 1.2+ for all client-server and inter-service communication.
• Encryption at rest — Database backups are encrypted at rest.
• Backups — Daily encrypted backups with point-in-time recovery. Retained for up to 35 days.
• Data segregation — Customer data is logically segregated by organization with all queries scoped by organization identifier.

Operational security

• Access controls — Production access is limited to a small set of authorized engineers, with audit logging.
• Change management — Code changes go through review and automated testing before deployment.
• Monitoring and alerting — We monitor for security events, anomalous access patterns, and infrastructure incidents.
• Audit logs — Administrative actions are logged for at least 12 months.

Incident response

We have a defined process for responding to security incidents:

1. Detection — automated monitoring and customer reports.
2. Triage — assess severity and scope.
3. Containment — isolate affected systems.
4. Notification — affected customers are notified without undue delay.
5. Resolution — apply fixes and validate.
6. Post-mortem — document findings and improve preventive measures.

Compliance and certifications

We are working toward formal certifications. Current commitments:

• We follow the principle of data minimization — collecting only what we need to provide the service.
• We support customer rights under applicable data protection laws (see Privacy Policy).
• We do not sell customer data.

If your organization requires a specific compliance attestation (SOC 2, ISO 27001, etc.), contact us at support@kenforte.com to discuss your requirements.

Reporting a security issue

If you discover a security vulnerability in Neriyam, we want to hear from you.

Report responsibly:

• Email: security@kenforte.com (preferred) or support@kenforte.com
• Include: a description of the issue, steps to reproduce, and any proof-of-concept code

What to expect:

• Acknowledgment within 48 hours
• Regular updates as we investigate and fix
• Public credit (if desired) once the issue is resolved
• We do not currently offer a paid bug bounty, but we appreciate responsible disclosure

Please do not:

• Test against production data without authorization
• Disrupt other users' use of the service
• Disclose the issue publicly before we have had a reasonable opportunity to fix it

Customer responsibilities

Security is a shared responsibility. Your organization is responsible for:

• Choosing strong passwords and changing them periodically
• Enabling and managing role-based access for your users
• Keeping your contact information current so we can reach you
• Reporting suspected unauthorized access promptly
• Configuring browsers and devices according to your IT policies

Changes

We update this page when our security practices materially change. Significant changes will be communicated to active customers.

Contact

Security questions: security@kenforte.com
General support: support@kenforte.com
Address: Kenforte Infosystems Private Limited, Coimbatore, Tamil Nadu, India

For details on how we handle your data, see our Privacy Policy. For terms governing service use, see Terms of Service.