Book a DemoDemo
Policy

Security Policy

This page describes the technical and organisational measures KaratX uses to protect sensitive jewellery business data.

ProductKaratX - Profit Plug
Effective Date1 May 2026
Last Updated1 May 2026

Our Commitment to Security

At KaratX, we understand that jewellers trust us with sensitive business data — inventory records, customer information, financial transactions, and operational data built over years of work. Protecting that data is a responsibility we take seriously.

This page describes the technical and organisational measures we have in place to protect your data on the KaratX platform.

1. Infrastructure Security

Encrypted Connections

All data transmitted between your browser or device and KaratX is encrypted using HTTPS and TLS across all domains — getkaratx.com, app.getkaratx.com, and getkaratx.in. Unencrypted HTTP connections are not accepted.

HTTP Security Headers

We implement industry-standard HTTP security headers including HTTP Strict Transport Security (HSTS), which ensures your browser always connects to KaratX over an encrypted connection.

Containerised Architecture

The KaratX platform runs on an isolated, containerised infrastructure. Each service operates within a private internal network with no unnecessary public exposure.

Private File Storage

All uploaded files and documents are stored in access-controlled storage. There are no publicly accessible file URLs. Every file request is authenticated before the file is served.

2. Authentication and Access Control

OTP-Based Authentication

The KaratX customer portal uses one-time password (OTP) authentication via registered mobile numbers, eliminating password-related risks for portal users.

Role-Based Access Control

Subscriber accounts include a role-based access control system. Shop owners can assign specific roles to staff with defined permissions, ensuring staff only access what is relevant to their function.

Separate Session Tokens

The customer portal and the staff platform use separate, isolated authentication tokens. A portal session cannot access staff platform data and vice versa.

Rate Limiting

OTP generation, login attempts, and other sensitive endpoints are rate-limited to prevent brute force and abuse.

3. Data Isolation

Multi-Tenant Isolation

KaratX is a multi-tenant platform. Every data query is scoped to the authenticated Subscriber's account. It is architecturally not possible for one Subscriber to access another Subscriber's data through normal platform use.

Outlet-Level Scoping

For multi-outlet Subscribers, data access is further scoped at the outlet level based on role and permission assignments.

4. Payment Security

Subscription payments are processed entirely by Razorpay, a PCI DSS compliant payment gateway. KaratX does not store, process, or transmit card numbers, CVVs, or full banking credentials. All payment data is handled directly by Razorpay under their security standards.

5. Monitoring and Incident Response

Error Monitoring

We use Sentry for real-time error monitoring and diagnostic logging. This helps us identify and resolve issues quickly. We apply data minimisation practices to limit personal data captured in error logs.

Session Analytics

Microsoft Clarity is used for UX and session analysis on the platform to help us identify usability issues and improve the product experience.

Incident Response

In the event of a confirmed security incident affecting Subscriber data, we will notify affected Subscribers promptly and take immediate steps to contain and remediate the issue.

6. Vulnerability Management

  • We conduct periodic reviews of platform dependencies and apply security patches on a priority basis
  • We do not expose unnecessary services, ports, or endpoints to the public internet
  • Administrative interfaces are access-controlled and not publicly listed

7. Third-Party Security

We work with third-party processors including Razorpay, SMSAlert, Interakt, Resend, Google, Microsoft, Meta, LinkedIn, and Sentry. Each processor operates under their own security standards and certifications. We select processors with established security practices and enter into data processing terms where applicable.

We are not responsible for security incidents that originate within third-party systems beyond our control.

8. Your Role in Security

Security is a shared responsibility. As a Subscriber, you play an important role:

  • Use strong, unique passwords for your KaratX account
  • Do not share your login credentials with unauthorised individuals
  • Revoke staff access immediately when an employee leaves or changes role
  • Report any suspicious activity on your account to privacy@getkaratx.in immediately
  • Ensure devices used to access KaratX are adequately secured

9. Responsible Disclosure

If you discover a potential security vulnerability in the KaratX platform, we ask that you report it to us responsibly before making it public.

Contact: privacy@getkaratx.in
Subject Line: Security Vulnerability Report

We will acknowledge your report within 5 working days and work to address valid findings promptly. We appreciate responsible disclosure and will not pursue legal action against researchers acting in good faith.

10. Contact

For any security-related concerns or queries:

Email: privacy@getkaratx.in
Address: Profit Plug, 122/2, Sant Nagar, Gali No. 2, Ratlam, Madhya Pradesh - 457001, India

© KaratX — Profit Plug. All rights reserved.