Security
The security of your data (your uploaded product images, generated outputs, and account information) is a core commitment at AttireSnap. This page describes our security practices and how to contact us if you discover a vulnerability.
Data in transit
All data transmitted between your browser or mobile device and our servers is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints and HTTP Strict Transport Security (HSTS) is enabled.
Data at rest
Uploaded images and generated outputs are stored using AES-256 encryption at rest. Database credentials, API keys, and secrets are stored in isolated secret management systems and never hard-coded in application code.
Access control
- Production systems follow the principle of least privilege, so engineers only have access to systems necessary for their role.
- All internal admin access requires multi-factor authentication (MFA).
- Customer data is logically isolated, and users can only access their own uploads and generations.
Payment security
We never store credit card numbers or payment instrument details on our servers. All payment processing is handled by Razorpay, a PCI-DSS compliant payment gateway. We store only billing metadata (plan name, amount, status) necessary for your account.
Authentication
- Passwords are hashed using a secure, adaptive hashing algorithm (bcrypt/argon2). We never store passwords in plain text.
- Session tokens are cryptographically signed and rotated regularly.
- We offer OAuth-based login (Google) to allow users to avoid password-based auth entirely.
Vulnerability disclosure (responsible disclosure)
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please:
- Email your findings to security@AttireSnap.com with a clear description of the vulnerability and steps to reproduce.
- Do not publicly disclose or exploit the vulnerability before we have had a reasonable opportunity to address it (we aim to respond within 72 hours).
- Do not access, modify, or delete data belonging to other users during your research.
We acknowledge all valid vulnerability reports and aim to patch critical issues within 7 days. We do not currently run a formal bug bounty programme, but we genuinely appreciate responsible disclosures and will acknowledge researchers (with permission) in our security advisories.
Incident response
In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware of the incident, in accordance with India's Digital Personal Data Protection Act (DPDPA) and applicable regulations. Notifications will be sent to the email address associated with your account.
Third-party sub-processors
We work with carefully selected third-party service providers. All sub-processors are bound by data processing agreements consistent with DPDPA requirements. A full list of sub-processors is available on request at privacy@AttireSnap.com.
Questions about this policy?
Email our legal team at legal@attiresnap.com. We respond within 5 business days.