Last updated: 2026-06-09
Data in Transit. All communication between your browser and VigyanLLM servers is encrypted using TLS 1.2 or higher. Every public endpoint — including the web application, API routes, and authentication callbacks — enforces HTTPS. HTTP requests are automatically redirected to HTTPS. We use modern cipher suites and regularly review our TLS configuration against industry best practices.
Data at Rest. All persistent data stored in our PostgreSQL database and file storage systems is encrypted at rest using AES-256 encryption. Database backups are similarly encrypted. Encryption keys are managed through secure key-management infrastructure with restricted access and automatic rotation.
User passwords are hashed using bcrypt with a cost factor of 10 or higher before being stored. No plaintext passwords are ever stored or logged. For users who prefer social login, we support Google OAuth 2.0, which delegates credential handling to Google's authentication infrastructure. Rate limiting is applied to all authentication endpoints — including login, registration, and password reset — to mitigate brute-force and credential-stuffing attacks. Session tokens are generated using HMAC-SHA256 with a server-side secret, transmitted via the Authorization header, stored in browser sessionStorage, and invalidated on logout or server restart.
All payments are processed through Razorpay, a PCI-DSS Level 1 compliant payment gateway — the highest level of payment security certification. Payment card details, UPI credentials, and net-banking passwords are captured directly by Razorpay's hosted checkout page and never transmitted to or stored on VigyanLLM servers. Our backend verifies payment signatures using Razorpay's webhook signature verification to ensure that only legitimate payment confirmations result in credit allocation. This prevents fraud, replay attacks, and unauthorised credit manipulation.
VigyanLLM is deployed on Vercel's edge network, which provides DDoS mitigation, WAF (Web Application Firewall) filtering, and automatic HTTPS enforcement at the CDN layer. Application logic runs in serverless functions with no persistent local filesystem, reducing the attack surface. Our PostgreSQL database is hosted on managed infrastructure with automated patching, encrypted storage volumes, and network-level access controls that restrict connections to authorised application servers only. We do not share infrastructure or data with third parties beyond the explicit integrations described in our Privacy Policy. Access to production systems and administrative dashboards is restricted to authenticated personnel and logged for audit.
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it privately to security@vigyanllm.in. Include a clear description of the vulnerability, steps to reproduce, and your assessment of potential impact. Do not access, modify, or exfiltrate data belonging to other users during your research. Do not perform denial-of-service, social engineering, or physical security tests without prior coordination. We commit to acknowledging your report within 72 hours, providing regular updates on remediation progress, and offering appropriate recognition for verified disclosures.
In the event of a security incident — including data breach, unauthorised access, or service compromise — we follow a structured incident response plan: containment to limit further exposure, forensic investigation to determine root cause and scope, remediation to close the vulnerability and restore normal operations, and notification to affected users and relevant authorities as required by applicable law. We maintain internal audit logs that record authentication events, payment verifications, administrative actions, and privilege escalations to facilitate rapid investigation.
For security concerns, vulnerability reports, or incident-related inquiries, contact security@vigyanllm.in.