Security at Majhi OS
Majhi OS handles sensitive hiring data on behalf of organisations. Security is not a feature — it is a baseline requirement. This page describes how we protect your data and our platform.
Infrastructure
Majhi OS is hosted on enterprise-grade cloud infrastructure with ISO 27001-certified data centres. We operate across multiple availability zones to ensure resilience. All production systems run in private networks with no direct public exposure.
- Dedicated production and staging environments; no shared infrastructure with test workloads
- Infrastructure-as-code with version-controlled configuration
- Automated vulnerability scanning on every deployment
- DDoS protection and rate limiting at the network edge
Encryption
| Layer | Standard |
|---|---|
| Data in transit | TLS 1.2 minimum; TLS 1.3 preferred. HSTS enforced. |
| Data at rest | AES-256 encryption for all stored data, including backups. |
| Database | Encrypted at storage level; field-level encryption for credentials and tokens. |
| Secrets management | All API keys, credentials, and secrets stored in a dedicated vault; never in environment variables or code. |
| Backups | Encrypted, tested daily, retained for 30 days, stored in a geographically separate region. |
Access controls
- Principle of least privilege: Every engineer and system component has access only to what is strictly required.
- Multi-factor authentication (MFA) is mandatory for all internal systems and production access.
- Role-based access control (RBAC) is enforced across the platform and all internal tooling.
- Zero-trust networking: Production access requires authenticated, short-lived credentials via a bastion with full audit logging.
- Background checks are conducted for all employees and contractors with access to production systems.
Application security
- OWASP Top 10 mitigations applied across all API endpoints
- Input validation and parameterised queries to prevent injection attacks
- Content Security Policy (CSP) and other security headers enforced
- Dependency scanning and automated patching for known CVEs
- Regular internal security reviews prior to major releases
Monitoring and incident response
Our security operations run continuously:
- Real-time anomaly detection across application and infrastructure logs
- Automated alerting on authentication failures, privilege escalations, and unusual data access patterns
- Defined incident response playbooks with assigned owners and escalation paths
- Customers affected by a security incident will be notified within 72 hours, consistent with GDPR requirements
- Post-incident reviews are conducted for all P1/P2 events, with findings shared on request
Penetration testing
Majhi OS undergoes independent third-party penetration testing at least annually and after significant infrastructure changes. Findings are remediated according to severity within defined SLAs (Critical: 24h, High: 7 days, Medium: 30 days). Summary reports are available to enterprise customers under NDA.
Compliance
- Data Processing Agreements (DPAs) available for all customers — email [email protected]
- Sub-processor list maintained and available on request
- Working toward SOC 2 Type II certification
Responsible disclosure
If you believe you have found a security vulnerability in Majhi OS, please report it responsibly. We ask that you:
- Email details to [email protected] with a clear description and steps to reproduce
- Give us reasonable time to investigate and remediate before public disclosure
- Not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
We commit to acknowledging valid reports within 48 hours and keeping you informed of our progress. We do not take legal action against researchers acting in good faith.
Business continuity
- Recovery Point Objective (RPO): 1 hour
- Recovery Time Objective (RTO): 4 hours
- Disaster recovery plans tested bi-annually
- Live platform status: status.majhi.tech