Trust & Safety

Security at Genie Bazaar

Enterprise-grade protection for your operational data. Here's exactly how we keep it safe.

Last updated: March 10, 2026

AES-256 Encryption at rest

TLS 1.2+ in transit

Annual penetration testing

24/7 Infrastructure monitoring

Infrastructure & Hosting

Genie Bazaar is hosted on Amazon Web Services (AWS) in the Asia-Pacific region (primary: Mumbai ap-south-1; secondary: Singapore ap-southeast-1). AWS holds ISO 27001, SOC 1/2/3, and PCI DSS certifications.

Virtual Private Cloud (VPC) with private subnets for application and database tiers
Security groups and network ACLs enforce strict inbound/outbound traffic rules
No direct internet access to database or internal services
AWS CloudTrail and VPC Flow Logs enabled for audit and forensics
Automated backups with point-in-time recovery; backups encrypted and tested quarterly
99.5% monthly uptime target with multi-AZ failover for critical services

Data Encryption

Scenario	Standard
Data at rest (database, file storage)	AES-256
Data in transit (web, API, internal services)	TLS 1.2 minimum (TLS 1.3 preferred)
Backups	AES-256, stored in separate AWS account
Passwords	Bcrypt (cost factor ≥ 12)
API tokens & secrets	Stored in AWS Secrets Manager, never in code

SSL/TLS certificates are managed via AWS Certificate Manager with automatic renewal. We score A+ on SSL Labs for our production domains.

Access Control

Role-based access control (RBAC): Every user is assigned a role with the minimum permissions required (principle of least privilege).
Multi-factor authentication (MFA): Mandatory for all administrative and privileged accounts.
Session management: Sessions expire after inactivity; secure, HttpOnly, SameSite cookies with CSRF protection.
Production access: Limited to a small number of engineers via VPN + SSH key; all access is logged.
Third-party access: Sub-processors and integrations are granted the minimum OAuth scopes required.
Offboarding: Access is revoked within 24 hours of employee termination.

Monitoring & Threat Detection

Centralised logging (application, infrastructure, access) with tamper-protected log storage.
AWS GuardDuty for continuous threat detection and anomaly analysis.
Automated alerts for unusual login patterns, privilege escalation, and high error rates.
Uptime monitoring with automated failover and on-call PagerDuty rotation.
Rate limiting and brute-force protection on all authentication endpoints.
Web Application Firewall (WAF) protecting all public endpoints against OWASP Top 10.

Vulnerability Management & Penetration Testing

Annual penetration tests conducted by independent CREST/GPEN-certified third parties covering web application, API, and infrastructure layers.
Automated vulnerability scanning runs on every deployment via CI/CD pipeline (SAST, DAST, SCA).
Dependency scanning with automated alerts for CVEs in third-party packages.
Patch management: Critical security patches applied within 48 hours; high severity within 7 days.
Penetration test summaries available to enterprise customers under NDA on request.

Incident Response

We maintain a documented Incident Response Plan (IRP) with the following response SLAs:

Severity	Definition	Response SLA	Customer Notification
Critical (P0)	Data breach or full platform outage	1 hour	Within 4 hours
High (P1)	Partial outage or significant data exposure risk	4 hours	Within 24 hours
Medium (P2)	Degraded performance or limited data exposure	1 business day	As required
Low (P3)	Minor issues, no data risk	3 business days	Monthly status update

Personal data breaches are notified to the relevant supervisory authority within 72 hours in compliance with GDPR Article 33. Affected data subjects are notified without undue delay where required.

Application Security

Our Secure Development Lifecycle (SDLC) includes:

OWASP Top 10 addressed in development standards

Code review required for all production changes

Static Application Security Testing (SAST) in CI/CD

SQL injection & XSS prevention via ORM and output encoding

CSRF protection on all state-changing requests

Content Security Policy (CSP) headers on all pages

Secrets never committed to version control (enforced via pre-commit hooks)

Security champion programme with quarterly training

Organisational Security

All employees undergo background verification before joining.
Annual security awareness training is mandatory for all staff.
All employees and contractors sign confidentiality and data handling agreements.
Security policies are reviewed annually or following significant incidents.
Physical access to offices is controlled; equipment is encrypted and remotely wipeable.

Responsible Disclosure

We are committed to working with the security community. If you discover a potential vulnerability in our systems, we ask that you report it to us privately before any public disclosure.

• Report vulnerabilities to support@geniebazaar.com
• Include a description of the issue, steps to reproduce, and potential impact.
• We will acknowledge your report within 2 business days and provide regular updates.
• We will not take legal action against researchers acting in good faith under this policy.
• Please do not access, modify, or delete data that does not belong to you.

We do not currently offer a public bug bounty programme, but we recognise and appreciate responsible security researchers in our security acknowledgements.

Compliance & Certifications

Genie Bazaar's platform and operations are designed to support customers' compliance with:

India DPDP Act 2023

In progress

GDPR / UK GDPR

Compliant

ISO 27001

Planned 2026

SOC 2 Type II

Planned 2026

VAPT Report

Annual — available on request

PCI DSS (via payment processor)

Covered by processor

Security documentation, VAPT reports, and compliance evidence can be provided to enterprise customers under NDA as part of vendor due diligence.

Security enquiries: support@geniebazaar.com · Privacy: Privacy Policy · GDPR: GDPR Compliance