Tanvrit is built on the same infrastructure used by large enterprises — because your business data deserves the same protection regardless of your size.
🔐
JWT access + refresh tokens scoped per appId (multi-tenant)
Token refresh protected by a 5-second dedup mutex
Phone OTP, WhatsApp OTP, magic-link, passkey/WebAuthn, OAuth (Google/Apple/Facebook)
Per-tenant role-based access control
🛡️
Google Cloud Run in asia-south1 (Mumbai) — India data residency
MongoDB Atlas as system of record
AES-256-GCM field-level encryption on Aadhaar / PAN PII
TLS 1.3 for all transit, Cloudflare-fronted edge
🔑
X-App-ID + X-API-Key required on every authenticated route
JWT-derived userId enforced server-side (no client-supplied identity)
Stripe webhook signatures verified with HMAC-SHA256 + timing-safe compare
Per-mobile and per-IP rate limiting on OTP send/verify endpoints
📋
8,500+ automated tests across SDK + server
DPDP Act 2023 alignment — DPO contact published, breach process documented
GST-compliant invoicing and 7-year retention on financial records
IT Act 2000 alignment + Apple/Google data-safety disclosures filed per app
🌐
Cloudflare WAF in front of api.tanvrit.com
Cloud Run unauthenticated public surface gated by app-level JWT + appId
No direct internet access to MongoDB; Atlas IP allowlist on Cloud Run egress
Production secrets injected via Cloud Run env vars, never on filesystem
🔄
Best-effort availability today; status page + public SLA at GA
Cloud Run rolling deploys + manual revision rollback in <5 minutes
Offline-first SDK — clients keep working through transient outages
MongoDB Atlas automated backups with point-in-time recovery
🐛
Found a security vulnerability? We appreciate responsible disclosure. Please email us with a detailed description and we will respond within 48 hours.
contact@tanvrit.com