AAayu
Security

We treat your project data the way you treat your customers' trust.

Aayu is built around your bid documents, IPCs, GRNs, and contractor PII. The list below is what we ship today — every claim is backed by the codebase, not aspirational. Have a question we don't cover? security@aayu.app.

Authentication

  • Magic-link sign-in (Auth.js v5) + Google OAuth — no passwords stored.
  • TOTP 2FA + single-use recovery codes for any admin user.
  • WebAuthn / FIDO2 (Touch ID, Windows Hello, hardware keys) as a phishing-resistant alternative to TOTP.
  • Step-up gate: every destructive admin action (audit prune, user PII erasure, key revoke) re-prompts for 2FA.

Multi-tenancy & isolation

  • Every row is scoped to an organizationId; cross-tenant queries are physically prevented at the query layer.
  • Subcontractor role with project-scope JSON for partner companies — they only see what you grant them.
  • Per-org claim/role mapping for SSO so enterprise IDPs drop users into the right tenant + role automatically.
  • Audit log hash chain — each row's SHA-256 links to the prior row, making post-hoc tampering detectable.

Data protection

  • TLS in transit (terminate at the edge, re-encrypt to backend).
  • Pluggable storage backend (disk / S3 / R2) — production defaults to S3 with server-side encryption (bucket policy).
  • Razorpay-hosted card flow — we never see or store payment instrument data; Subscriptions API + signed webhooks only.
  • DPDP-compliant data export (admins can self-serve a tenant-wide export from /settings/privacy).
  • Audit log cold archival to S3 (gzipped JSONL) keeps the hot table small without losing the chain-of-custody.

Access control

  • 7 first-class roles: ADMIN, PM, SITE_ENGINEER, FINANCE_QS, STORE, HR, SUBCONTRACTOR — read/write matrix per module.
  • Multi-stage approval chains for IPCs ≥ ₹1 Cr (PM → Finance) and ≥ ₹5 Cr (parallel + ADMIN escalation after 24h).
  • Per-line IPC signoff — a single FLAGGED line blocks certify until reworked.
  • Public API keys are SHA-256-hashed at rest with scoped allow-lists (read:projects/ipcs/pos/vendors/audit, write:payments).

Operations

  • OpenTelemetry traces + Sentry observability (env-toggled, no-op when unset).
  • Rate-limit on every mutation (Redis-backed Lua atomic; in-memory fallback).
  • Daily housekeeping crons: idempotency-key cleanup, expired-session sweep, audit archival, billing-expiry sweep.
  • Health endpoint at /api/health for uptime monitoring.

Compliance posture

  • DPDP (Digital Personal Data Protection Act, India) — data export + erasure flows shipped.
  • GST e-invoicing (NIC IRN), e-way bill, GSTR-2A reconciliation, TDS Form 26Q export — all built-in.
  • MSME 45-day breach detection + payment alerts.
  • SOC 2 Type 1 readiness pack on the roadmap (target Q3).
Responsible disclosure:if you've found a security issue, please email security@aayu.app with details and a proof-of-concept. We'll acknowledge within 48 hours and publish an advisory after the fix is rolled out.