Security you can verify, not just trust.
GENIX Business Suite is built for the SMB and enterprise teams whose customer data must be protected on both sides of the transaction. This page documents our controls, subprocessors, and compliance posture — updated alongside every release.
Security controls
Production-grade defaults across authentication, isolation, and observability — implemented in every release, not bolted on for enterprise.
Encryption in transit
All traffic over TLS 1.2+ with HSTS. Certificates auto-renewed via Let's Encrypt.
Encryption at rest
MongoDB encrypted disks (AES-256). Application secrets stored in environment vaults.
Authentication
Bcrypt 12-round password hashing · TOTP 2FA · Email OTP option · 7-day JWT sessions, rotated on password change.
RBAC & least-privilege
Owner / admin / staff roles with per-module access. Super-admin actions logged with reason.
Universal audit logging
Every mutation across every module captured to immutable audit collection with IP + UA + geo.
Suspicious-login detection
Failed-login throttling, geo-anomaly detection, admin alerts for high-risk patterns.
Tenant isolation
Every record tagged with company_id. Cross-tenant access blocked at the FastAPI dependency layer.
Rate limiting
Per-IP and per-user limits on auth, OTP, public forms, contact, and AI endpoints. Redis-backed in production.
Backup & restore
Per-tenant JSON exports for KYC and DSAR. Manual + scheduled backups. Admin-only restore with destructive confirmation.
Vulnerability disclosure
Coordinated-disclosure programme. Email security@genixcrm.in with PoC; we acknowledge within 24h.
Compliance status
GDPR
compliantDSAR exports via /admin/customers/{id}/dossier, right to be forgotten via DELETE, data-processing agreement available on request.
SOC 2 Type II
in progressTarget audit window Q3–Q4 2026. Evidence collection and policy authoring underway.
PCI-DSS
scope minimisedGENIX never stores card data. All payment flows handed off to PCI-Level-1 processors (Razorpay, PayPal, Dodo).
DPDP Act 2023 (India)
compliantData fiduciary obligations met. Data principal rights surfaced in /legal/privacy + DSAR endpoints.
Subprocessors
Third parties that may process customer data. We notify customers 30 days before adding a new subprocessor.
| Vendor | Purpose | Region | Website |
|---|---|---|---|
| MongoDB Atlas | Primary database | Mumbai (ap-south-1) | ↗ |
| Hostinger SMTP | Transactional + campaign email | Global | ↗ |
| Razorpay | Payment processing (INR) | India | ↗ |
| PayPal | Payment processing (international) | Global | ↗ |
| Dodo Payments | Payment processing (multi-currency) | Global | ↗ |
| Anthropic (via Emergent LLM gateway) | AI features (Claude Sonnet 4.5, Haiku 4.5) | USA | ↗ |
| OpenAI (via Emergent LLM gateway) | AI features (GPT-5) | USA | ↗ |
| ip-api.com | Geo-IP enrichment for audit logs | Global | ↗ |
Vulnerability disclosure
If you've found a security issue in GENIX Business Suite, please email security@genixcrm.in with steps to reproduce.
- We acknowledge within 24 hours.
- Critical issues are patched in-place inside 72 hours; medium/low issues land in the next scheduled release.
- We don't run a paid bug bounty today, but happily credit researchers in our changelog.
- Please don't disclose publicly until we've confirmed the fix is rolled out.