Trust · Last updated 2026-05-14

Security & data practices.

How we secure user data, encrypt traffic, sandbox third-party scripts, and disclose vulnerabilities. We treat security as an editorial standard — not a back-office concern.

Four pillars

What we protect, and how.

Encryption in transit + at rest

All traffic uses TLS 1.3. User data and authentication tokens are stored on Supabase Postgres with AES-256 at rest. Service-role credentials never reach the browser.

Row-Level Security (RLS) on every table

Postgres RLS policies gate every read + write. Anonymous traffic can only INSERT to public-tracking tables (newsletter, web_vitals, affiliate_clicks); admin tables require authenticated admin role enforced upstream in middleware.

No third-party tracking pixels in production

We use first-party PostHog + Sentry for error/perf telemetry. No Facebook Pixel, no Hotjar session-replay, no advertising SDKs. Affiliate-network scripts (Cuelinks/EarnKaro) load only on user-initiated apply-now click.

Hardened deployment surface

Hosted on Vercel with Fluid Compute, Node 24 LTS, structured logging, request rate-limiting on all /api/* and /admin/* routes via Upstash Redis. Cron secrets rotated quarterly.

Operating practices

Day-to-day discipline.

  • ·Quarterly secret rotation: CRON_SECRET, Supabase JWT signing key, third-party API keys
  • ·RLS policies tested in CI + verified post-migration
  • ·DOMPurify sanitization on user-generated and AI-generated HTML rendering
  • ·Audit log on every admin action (article publish, product edit, user role change)
  • ·Sentry alerts on 5xx spikes, Slack notifications on cron failures
  • ·Defence-in-depth: middleware auth + layout-level guards + route-level admin checks
  • ·Regular dependency audits via `npm audit` + GitHub Dependabot
  • ·No PII in logs or analytics_events — emails are hashed for ip_hash columns
Breach notification

What happens if something does go wrong.

The Digital Personal Data Protection Act 2023 (Section 8) and the CERT-In Cyber Security Directions 2022 set a clear timeline for handling a personal-data breach. Our response sequence:

  • CERT-In notified within 6 hours of becoming aware of a reportable incident.
  • Affected users notified without undue delay, by email and (for logged-in users) an in-app banner.
  • Data Protection Board of India notified once that authority is operational under DPDP 2023.
  • A public post-mortem published on this page within 30 days.

For ongoing grievances about your data, /grievance is the named channel (30-day SLA per DPDP §13).

Responsible disclosure

Found a vulnerability?

Email security@investingpro.in with a description, reproduction steps, and the impact you observed. Please do not run automated scanners against production. We acknowledge reports within 48 hours and aim to remediate critical issues within 7 days. We do not currently run a paid bug bounty but will publicly credit security researchers who help us improve.

Out of scope

Subdomain takeover of marketing-only properties, missing HTTP security headers without proven impact, social-engineering of staff, denial-of-service.

Security policy v1.0 · last updated 2026-05-14
PrivacyTermsEditorial standards
No paid rankings
Methodology disclosed
SEBI-compliant
Editorial standards