Security Policy

Infrastructure Security

Subix's entire platform runs on Supabase and Vercel infrastructure — both of which operate on hardened cloud environments with independent security certifications.

• All servers hosted in ISO 27001-certified data centres (AWS eu-central-1 / ap-south-1)
• Network traffic encrypted end-to-end via TLS 1.3
• DDoS protection via Cloudflare with automatic mitigation rules
• Regular automated security patching for all infrastructure dependencies
• Database network access restricted to application services only — no public database endpoints
• Daily automated backups with 30-day point-in-time recovery available

Application Security

Every layer of the Subix application stack is designed with security as a first principle — not an afterthought.

• Authentication: Secure session management via Supabase Auth with JWT tokens stored in HttpOnly cookies — not localStorage
• Password Security: Passwords are never stored in plaintext; bcrypt hashing with salting applied by Supabase Auth
• CSRF Protection: Cross-site request forgery tokens on all state-changing API requests
• Input Validation: Server-side input sanitisation and parameterised queries to prevent SQL injection
• XSS Prevention: Content Security Policy headers and output encoding on all dynamic content
• Dependency Scanning: Automated scanning for known CVEs in npm and system dependencies

Data Protection

Your business data — leads, employees, payroll records — is treated with the highest security standards.

• Encryption at Rest: AES-256 encryption for all stored data across all Supabase tables and storage buckets
• Encryption in Transit: All API communication over TLS 1.3; no unencrypted connections permitted
• Row Level Security (RLS): PostgreSQL RLS policies enforced at the database level — one organisation cannot access another's data even through direct API calls
• File Storage: Documents uploaded to HRMS are stored in private Supabase Storage buckets — not publicly accessible
• Secrets Management: All API keys and credentials stored as encrypted environment variables — never in source code

Access Controls

Internal access to production systems is strictly limited and audited.

• No Subix team member has permanent access to customer database records — all access is time-limited and logged
• Multi-factor authentication (MFA) required for all internal Supabase dashboard access
• Principle of least privilege applied to all internal roles — each team member accesses only what they need
• All internal access to production databases is logged with timestamps, user identity, and queries executed
• External access requires VPN and MFA — no remote direct database connections

Incident Response

In the event of a confirmed security incident affecting customer data, Subix commits to the following response timeline:

• Detection to containment: Within 4 hours of internal discovery
• Customer notification: Within 72 hours — email sent to all affected account owners
• Incident report: Published within 7 days of resolution — root cause, impact, and remediation steps
• Regulatory notification: Where required by law (IT Act, GDPR), authorities notified within required timelines

Our incident response team is on-call 24/7 for severity-1 events (active data breaches or platform outages).

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities found in Subix products. We commit to:

• Acknowledge your report within 48 hours
• Investigate and reproduce the vulnerability within 7 days
• Provide a fix timeline and keep you updated on progress
• Credit you in our security acknowledgements (if you wish) upon fix release
• Not pursue legal action against researchers who follow responsible disclosure guidelines

In Scope: subix.in, accounts.subix.in, leados.subix.in, hrms.subix.in, and all API endpoints.
Out of Scope: Social engineering attacks, physical security, denial of service attacks.

Security Contact

To report a security vulnerability, please email our security team directly: