Security Policy
Last updated: March 2026
MYDGID takes the security of your data seriously. This policy describes our security measures.
1. Data Encryption
- In Transit: All data is encrypted using TLS 1.2+ (HTTPS). HTTP connections redirect to HTTPS automatically.
- Passwords: All passwords are hashed using bcrypt — plain-text passwords are never stored.
- Payment Data: We do not store payment card details or UPI credentials. All payment processing uses Razorpay's PCI-DSS compliant infrastructure.
2. Authentication Security
- OTP Verification: All new accounts require email OTP verification
- Rate Limiting: 5 failed login attempts triggers a 30-minute lockout
- Session Security: Session IDs regenerate on every login
- Admin 2FA: All admin access requires Two-Factor Authentication (TOTP)
3. Infrastructure Security
- Hosted on Hostinger Business with enterprise-grade physical security
- PHP execution blocked in the uploads folder — uploaded files cannot execute code
- All user inputs validated and sanitised server-side
- All database queries use PDO prepared statements — SQL injection prevented
- config.php blocked from direct web access via server configuration
4. Payment Security
- Razorpay is PCI-DSS Level 1 certified
- Payment signatures verified using HMAC-SHA256
- Webhook payloads authenticated using Razorpay signature verification
5. Responsible Disclosure
If you discover a security vulnerability, please email support@mydgid.com with subject "Security Vulnerability Report". We acknowledge within 48 hours and will not pursue legal action against good-faith security researchers.
6. Incident Response
In the event of a data breach affecting user personal data, we will notify affected users within 72 hours and report to relevant authorities as required under applicable Indian law.