K Ketpy Authenticator
Onboard or Buy
Security & Compliance

Security baked in — not bolted on.

Tenant isolation, prepared statements, CSRF tokens, rate limits, audit logs — every security decision is exposed in plain sight. No "trust us" marketing badges.

Report a vulnerability Privacy policy
100% PDO prepared queries
cost-12 Bcrypt password hashing
5 / 15 Login fails / minutes
30 / 10 Verify attempts / minutes
Security commitments

Six categories. No hand-waving.

Every item below is a concrete engineering decision in our codebase — not a slogan.

Data & storage

India-resident
  • Servers in India — no cross-border data transfer
  • Bcrypt cost-12 password hashing across all tables
  • DB-backed sessions, regenerated on login
  • HttpOnly + SameSite=Lax cookies, Secure on HTTPS
  • 90-day grace retention after non-renewal & on request

Access & rate-limit

Brute-force proof
  • Service Provider vs. Manager — clear privilege separation
  • Force-change-on-first-login enforced
  • Login rate-limit: 5 fails / 15 min / email
  • Public verify rate-limit: 30 attempts / IP / 10 min
  • Image CAPTCHA on both login pages

Tenant isolation

By construction
  • Every record-touching query carries tenant_id
  • Managers literally cannot see other tenants' data
  • Per-tenant primary colour, logo, welcome copy
  • Suspend / reactivate flips the public portal politely
  • Impersonation logged at both start & end

Code & input hygiene

Hardened
  • PDO prepared statements only — no string concatenation
  • CSRF tokens on every state-changing form, verified server-side
  • HTML-escape on every dynamic echo
  • File uploads filtered by extension + MIME via finfo
  • Storage dir blocks PHP execution via .htaccess

Audit & activity

Everything logged
  • Every state-changing action recorded with actor + IP + UA
  • Impersonation start & end both logged
  • Filterable activity log + CSV export
  • Failed verification attempts logged separately
  • Login failures logged with attempted email + IP

Compliance posture

DPDP Act 2023
  • Right to access, correction, deletion on email request
  • 90-day grace retention after non-renewal
  • Children's data: organisation = controller, Ketpy = processor
  • No third-party analytics, no Facebook Pixel, no GA
  • One first-party session cookie — KAUTH_SID
Responsible disclosure

Found a vulnerability? Write to us.

We promise to read your email within 24 hours, acknowledge within 48 hours, and patch high-severity issues within 7 days.

🛡️

team@ketpy.com

PGP-encrypted disclosure available on request. We do not currently run a bug bounty — but we credit researchers publicly (with permission) and send a small token of thanks.

Email security disclosure
How we differ

Real engineering. Not compliance theatre.

Most "secure" SaaS products buy a badge and forget about it. We expose every concrete decision.

Compliance theatre

Look at our shiny badge.

  • "SOC 2" / "ISO 27001" badge on the homepage — no detail.
  • "Bank-grade encryption" but the cookie is plain HTTP.
  • 50-page privacy policy nobody reads.
  • Vague "multi-tenant architecture" promises — no source-level proof.
What Ketpy actually does

Concrete decisions, exposed.

  • Bcrypt cost-12, HttpOnly + SameSite=Lax + Secure on HTTPS.
  • Every query is a prepared statement. Audit grep returns zero $_POST in SQL.
  • One-page privacy policy in plain English.
  • tenant_id in every query — grep your codebase, see for yourself.
Questions or concerns?

Talk to the engineers, not a chatbot.

Email team@ketpy.com and we'll get an engineer on the thread within a business day.

Contact us Privacy policy