TrueSecurixTrueSecurix Back to home
Trust and security

Security

This page describes how TrueSecurix protects your account, your API keys, and the identity data that passes through the Service. TrueSecurix is an identity and document fraud-detection API, so security is part of the product, not something bolted on later.

Encryption in transit

All traffic to and from TrueSecurix runs over HTTPS. Connections are encrypted with TLS using certificates issued by Let's Encrypt, and HSTS is enabled so browsers only ever connect over HTTPS.

API keys are stored hashed, never in plaintext

We never store your API key in plaintext. We keep only a SHA-256 hash of the key, so even we cannot read it back. If a key is leaked, you can revoke it instantly, and each key is revoked on its own without affecting your other keys.

Dashboard sessions are separate from API keys

Signing in to the dashboard and calling the API use two different credentials. A dashboard session is not an API key, and an API key gives no access to the dashboard or your account settings. If an API key leaks, an attacker still cannot log in to your dashboard. You can sign out of all devices at any time.

Admin console

Our internal admin console is protected by a strong secret token, with optional TOTP two-factor authentication (a time-based code from an authenticator app) required on top of the token.

Strict tenant isolation

Every request is scoped to the account that made it. One account can never read or reach another account's data. There is no cross-tenant access.

Rate limiting and abuse protection

Each account has its own rate limit. We also enforce upload-size limits, protect against decompression bombs (files that expand to a very large size when opened), and throttle abusive traffic.

How end-user images are handled

Selfies and ID images submitted for a check are analysed in memory and are never written to disk as files. We keep only a one-way SHA-256 hash of each file, so a customer can later prove which exact file produced a given verdict, without us holding the image itself.

Private network

The detection engine and the database run on a private network that is not exposed to the public internet. The only component reachable from outside is the HTTPS reverse proxy, which forwards requests to the API.

Deterministic, auditable decisioning

Only mathematical checks can hard-flag a submission: checksums and format rules such as the Aadhaar Verhoeff checksum, PAN format, and passport MRZ. AI signals only advise; they never decide on their own. A real customer is never auto-rejected on a guess. Anything uncertain is routed to human review.

Immutable audit log

Logins, API key changes, payments, and admin actions are written to an append-only audit log. The records are immutable, so the history of who did what cannot be quietly edited after the fact.

Responsible disclosure

If you find a security issue, please report it to security@truesecurix.com. We welcome responsible disclosure. Our machine-readable security contact is published at /.well-known/security.txt.

Compliance status

We are honest about where we are. We do not claim certifications we have not earned.

We will update this page as each item is completed.

Sub-processors

We use a small number of sub-processors to run the Service:

Sub-processorPurpose
DigitalOceanHosting (Bangalore, India region)
RazorpayPayments
ResendTransactional email
CloudflareDNS

A Data Processing Agreement (DPA) is available on request at contact@truesecurix.com.

India data residency

Data is hosted in India, in the DigitalOcean Bangalore region. The product is aligned with the Digital Personal Data Protection Act, 2023 (DPDP Act).

Contact

Security reports: security@truesecurix.com. General and DPA requests: contact@truesecurix.com.