Application security
Content Security Policy enforced site-wide. HSTS with preload. HttpOnly + SameSite=Lax session cookies. Honeypot + dwell-time guards on public forms. Least-privilege API tokens with rotation.
“Compliance-first AI” is our positioning. This page is the receipt — the controls we run today, the alignment we already have, and the certifications we're working toward. Written to be inspected by a CISO or procurement team, not just a marketing reader.
Every item below is live on our production infrastructure right now — not on a roadmap, not aspirational. Reach out for a copy of the underlying configuration or a walk-through with our CTO.
Content Security Policy enforced site-wide. HSTS with preload. HttpOnly + SameSite=Lax session cookies. Honeypot + dwell-time guards on public forms. Least-privilege API tokens with rotation.
Data hosted in the India region on a hardened Linux VM. Docker isolation between the marketing site, CRM, and project-management stacks. Row-level tenancy in customer-facing databases. Encrypted TLS via Let's Encrypt with auto-renewal.
SSH key–only authentication on production hosts. Role-based access in the CRM and project-management systems. Multi-factor authentication on all admin surfaces. API keys stored in server-side environment files, never in the repo.
India Digital Personal Data Protection Act 2023 aligned. EU GDPR aligned for European visitor traffic. Named Grievance Officer per DPDP §32. Consent-gated cookies with per-category opt-in. Data-retention windows published in the Privacy Policy.
No secrets in git. All API keys and connection strings live in server-side environment files with restricted file-mode permissions. Contact-form submissions never touch third-party marketing platforms.
Every production change goes through a reviewed commit on the main branch. Deploys use a Capistrano-style release path with rollback available. Build artifacts are reproducible from git.
Formal certifications take time and shouldn't be faked. Here's the honest timeline — dates are targets, not marketing.
We're happy to answer detailed security questionnaires (CAIQ, SIG Lite, vendor risk forms) and sign NDAs so we can share architecture, threat models, and access diagrams. Ask for:
Security contact: support@vsjailabs.com. Mark “Security review” in the subject and our CTO gets it directly.
Tell us what you're building. We'll come back with a delivery plan, a fixed first milestone, and a team you can meet next week.