Security is a product requirement, not a footnote.
Instaply handles resumes, work authorization, demographic data, and payment data. Here is how we protect it.
Our five pillars
TLS 1.3 for every request in transit. AES-256 at rest for databases and storage via Supabase. Secrets live in a managed KMS; we do not ship secrets in code.
Row-level security enforces per-user data isolation at the database layer. Staff access is on a least-privilege basis and logged. No engineer has default access to production user data.
Every sensitive action — profile updates, application submissions, MCP token creation, billing events — writes to an append-only audit log. IPs are salted and hashed before storage.
Credit grants and debits are append-only. Refunds and reversals are recorded as new rows, never by editing history. This makes balance reconstruction deterministic and tamper-evident.
Razorpay processes all payments. We never see or store your full card number. Razorpay is PCI-DSS Level 1 compliant.
Compliance
- India's Digital Personal Data Protection Act, 2023 (DPDP Act)
- EU General Data Protection Regulation (GDPR), where applicable
- Standard Contractual Clauses for cross-border EU transfers
- DPDP Act § 16 permissions for transfers out of India
Our full list of sub-processors and retention rules is in the Privacy Policy.
Incident response
- We monitor for breaches continuously
- On confirmed breach, we notify affected users and the Data Protection Board of India within 72 hours
- Contact hello@asion.ai for any security concern — we treat all reports seriously
Responsible disclosure
Found a vulnerability? Email hello@asion.ai with the subject “Security report”. Please do not publicly disclose before we have had a reasonable window to fix it. We acknowledge reports within 48 hours.