Security Policy

At Pharmbells, security is fundamental to our platform. This page describes the measures we take to protect your data and ensure the integrity of our Service.

1. Data Encryption

In Transit

All communication between your browser and our servers is encrypted using HTTPS with TLS (Transport Layer Security). This ensures that your data cannot be intercepted or read during transmission.

At Rest

Sensitive data stored on our servers is encrypted using industry-standard encryption algorithms.

2. Access Controls

• Authentication: All users must authenticate with a valid email and password. Passwords are stored using secure one-way hashing (never in plain text).
• Role-Based Access: The platform supports role-based access control, ensuring users can only access the data and features permitted by their assigned role.
• Session Management: Sessions are managed with secure, httpOnly cookies. Inactive sessions expire automatically.

3. Data Isolation

Each customer account operates on an isolated database. Your business data is completely separated from other customers' data. No customer can access another customer's data.

4. Backups

• Automated backups are performed regularly.
• Backups are stored securely and are separate from the production environment.
• Backups are tested periodically to ensure data can be restored reliably.
• You can request a data export at any time from your account.

5. Infrastructure Security

• Firewalls: Network firewalls restrict access to only necessary ports and services.
• Updates: Server software and dependencies are kept up to date with security patches.
• Monitoring: Systems are monitored for unusual activity and potential security threats.
• SSH Access: Server access is restricted to authorized personnel using encrypted key-based authentication.

6. Application Security

• CSRF Protection: All forms and API requests are protected against cross-site request forgery attacks.
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS).
• Rate Limiting: Login attempts and API calls are rate-limited to prevent brute-force attacks.
• Secure Framework: Pharmbells is built on the Frappe framework, which includes built-in security features such as ORM-level query sanitization, template escaping, and private method restrictions.

7. Payment Security

We do not store your payment card details on our servers. All payment processing is handled by PCI-DSS compliant third-party payment processors. Your payment information is transmitted directly to the processor over an encrypted connection.

8. Incident Response

In the event of a security incident:

• We will investigate and contain the incident promptly.
• Affected customers will be notified within a reasonable timeframe.
• We will take corrective measures to prevent recurrence.
• Where required by law, we will report the incident to the appropriate authorities.

9. Responsible Disclosure

If you discover a security vulnerability in our Service, we encourage you to report it to us responsibly. Please email info@pharmbells.in with details of the vulnerability. We will:

• Acknowledge your report within 48 hours.
• Investigate and address the vulnerability promptly.
• Keep you informed of the resolution.

We request that you do not publicly disclose the vulnerability until we have had reasonable time to address it.

10. Employee Access

• Access to production systems is limited to authorized personnel on a need-to-know basis.
• All access is logged and auditable.
• Employees do not access customer data unless required for support and authorized by the customer.

11. Contact

For security-related questions or to report a vulnerability, contact us at:

Hiyan Enterprises Pvt Ltd
Email: info@pharmbells.in