Security overview
Payments & Razorpay
Checkout occurs through Razorpay’s hosted experiences. Invoice Mitra stores reconciliation metadata (amounts, statuses, references) — never full card numbers or CVV data. Webhooks validate authenticity server-side before invoices mutate state.
Authentication & Supabase
Accounts leverage Supabase Auth with modern session handling. Row Level Security policies isolate tenant data at the database tier, dramatically shrinking blast radius compared to ad-hoc SQL in monolithic servers.
Transport & encryption
Public endpoints require HTTPS in production. Sensitive operations remain server-side via Nitro routes so secrets never ship to browsers.
Backups & availability
Supabase-managed Postgres includes automated backups on paid tiers. Pair this with exports you trigger from the product for offline archives. Status visibility will graduate to a dedicated status page soon.