In private beta, request accessSign in
ShippingBill.ai

Trust

Security.

Encryption

  • All data in transit: TLS 1.3 with HSTS preloaded.
  • All data at rest: AES-256 via Supabase managed encryption.
  • Application-layer encryption for IEC, GSTIN, banking metadata using AWS KMS keys we own (Mumbai region).
  • Secrets: managed in HashiCorp Vault, rotated quarterly.

Access controls

  • Production access limited to two engineers with FIDO2 hardware-key 2FA.
  • Customer data is accessed only on customer-initiated support ticket, with audit log entry.
  • Role-based access for customer accounts: Owner, Admin, Member, CA (read-only by default).
  • SSO via Google Workspace OIDC for Pro tier; password-only or magic-link for Starter and Growth.

Audit logging

Every action in the product (classification accept, classification override, scheme dismissal, reconciliation acknowledgement, support team access) is logged with timestamp, actor identity, IP, and before-and-after state. Logs are immutable (write-once via Supabase). Customer can export their own audit log at any time.

Infrastructure

  • Hosting: Supabase (Mumbai region, ap-south-1) for application data; Vercel (Singapore + Mumbai edge) for the marketing site.
  • Compute: Vercel Edge runtime for read-heavy routes, Vercel Serverless for stateful operations.
  • CDN: Cloudflare (Mumbai POP first).
  • WAF and DDoS protection: Cloudflare Pro tier.

Software development lifecycle

  • All code reviewed by at least one other engineer before merge.
  • Automated dependency scanning (Dependabot, Snyk) on every commit.
  • Static analysis: ESLint, TypeScript strict, SAST via GitHub Advanced Security.
  • Production deploys via signed releases; rollback within 5 minutes via Vercel revision pinning.

Certifications

SOC 2 Type I targeted for Q4 FY 2026-27 (audit kickoff in Q2). ISO 27001 evaluation planned for FY 2027-28. Current security posture documented and ready for customer security questionnaires.

Disclosure programme

Responsible security disclosures to [email protected]. We aim to acknowledge within 24 hours and triage within 72 hours. We do not currently run a paid bug bounty but will publicly acknowledge meaningful disclosures with researcher permission.