Security
Built on Mumbai-region infrastructure
Forkcast handles real restaurant operating data. We treat it accordingly. Hosting, encryption, access, and DPDP-aligned data lifecycle below.
The stack
Compute runs on Vercel (region bom1, Mumbai). Database is Supabase Postgres (region ap-south-1, Mumbai). Background jobs use Inngest. Email is Resend. Errors and performance are tracked through Sentry. WhatsApp briefs go through Twilio.
We use first-party cookies for authentication only. Analytics is Vercel Web Analytics, gated by user consent under DPDP — declined by default, no third-party tracking pixels.
Controls
What we do operationally
- TLS 1.2+ on all traffic. HSTS preloaded for forkcast.in.
- Encryption at rest for Postgres + backups.
- Per-account data isolation enforced at the application layer; SQL row-level security on sensitive tables.
- SSO + 2FA for all engineering access.
- Production read access logged; quarterly access review.
- Vulnerability scanning on every deploy. Renovate keeps dependencies current.
- Penetration test scheduled annually.
FAQ
Security FAQ
Where is my data stored?
Compute on Vercel, primary region bom1 (Mumbai). Database on Supabase, primary region ap-south-1 (Mumbai). Backups within India only.
Do you encrypt data at rest?
Yes. Postgres TDE for the primary database, encrypted backups, and TLS 1.2+ in transit. Secrets are stored in Vercel and never committed.
Who can access the production database?
A short list of engineering staff under audit. Access is via SSO + 2FA. Every read of production is logged. We do not expose raw POS rows in any internal dashboard.
Are you SOC 2 certified?
We're on a 12-month path to SOC 2 Type II. Enterprise pilots can request our SIG-Lite + DPDP audit pack.
Do you support SSO?
Email + password and Google OAuth today. SAML SSO for enterprise pilots on request.
How do you handle data deletion?
Account closure triggers a 30-day soft-delete window followed by hard purge. You can request immediate deletion via privacy@forkcast.in under DPDP.