Skip to main content
PrepGym
Get started

Security & Compliance

Last updated: 5 June 2026

Security is foundational at PrepGym. This page summarises the controls we run today and the standards we are working toward.

1. Hosting & data residency

  • All production workloads run in AWS Asia Pacific (Mumbai), region ap-south-1.
  • Aurora PostgreSQL Serverless v2 with encrypted storage (AWS KMS).
  • S3 buckets private by default, with AES-256 server-side encryption.
  • No production data ever leaves India.

2. Encryption

  • TLS 1.2+ for all data in transit, HSTS preload-eligible.
  • AES-256 for all data at rest (database, S3, EBS volumes).
  • Per-tenant key separation using AWS KMS for sensitive blobs.

3. Access control

  • Tenant isolation enforced at every API and database query.
  • Role-based access (RBAC) — student, admin, super_admin, proctor, recruiter.
  • SSO/SAML and JIT provisioning for university plans.
  • Production access is restricted to a small on-call team and audit-logged via AWS CloudTrail.

4. Authentication & account security

  • Passwordless by default — email one-time codes, so there are no passwords to leak, phish, or reuse.
  • Passkeys (WebAuthn / FIDO2) — phishing-resistant biometric sign-in with Face ID, Touch ID, Windows Hello, or a hardware security key.
  • Two-factor authentication — TOTP via Google Authenticator, Authy, or 1Password, with single-use backup codes for recovery.
  • Session tokens are HMAC-signed and verified on every request; AWS Cognito JWTs back federated/social sign-in.
  • TOTP secrets are encrypted at rest with AES-256-GCM; backup codes are stored only as one-way hashes.
  • OTP rate-limiting, account lockout on repeated failures, and same-IP multi-account flagging.

5. Application security

  • API gateway with WAF, rate limiting, and per-tenant quotas.
  • Tenant isolation enforced at every API and database query.
  • Input validation with Zod on every NestJS controller.
  • Static analysis (ESLint, TypeScript strict) and dependency scanning in CI.
  • Quarterly penetration testing by an independent CERT-In empanelled auditor.

6. Proctoring ethics

Proctoring is opt-in per session. We tell students exactly what is recorded (camera, mic, focus events), for how long it is retained (30 days), and who can review it. We do not run live emotion or ethnicity inference. Flags are advisory; humans review every disqualification.

7. AI safety

  • LLM calls go through AWS Bedrock — your data never leaves the AWS VPC.
  • We do not use student data to train public AI models.
  • Prompts are versioned and reviewed; outputs are content-filtered.
  • The hint engine is constrained: clarifications and nudges only — never the solution.

8. Compliance posture

  • DPDP Act 2023 — compliant. Grievance officer designated.
  • SOC 2 Type II — under assessment, target Q4 2026.
  • ISO/IEC 27001 — gap analysis completed; controls implementation in progress.
  • PCI-DSS scope handled entirely by our payment partners (Razorpay, Stripe). We do not store card data.

9. Incident response

We aim to detect material incidents within 1 hour and notify affected Data Principals within 72 hours, consistent with DPDP Act requirements. Customers can subscribe to security notifications at status.prepgym.ai.

10. Reporting a vulnerability

We welcome responsible disclosure. Email security@prepgym.ai with proof-of-concept details. We acknowledge within 24 hours and never threaten legal action against good-faith researchers.