Security & Data Protection
Effective Date: 28 March 2026 | Version: 1.0
At PredictX, the security of your data and the integrity of our Platform are foundational commitments. This document outlines our security practices and the measures we implement to protect your information.
1. Infrastructure Security
Our Platform is hosted on Amazon Web Services (AWS) with primary infrastructure in the Mumbai (ap-south-1) region, ensuring low latency for Indian users and compliance with data localization requirements.
- VPC isolation with private subnets for backend services
- AWS WAF (Web Application Firewall) for DDoS protection and request filtering
- Automated security patching and vulnerability scanning
- Infrastructure-as-code with change audit trails
- Multi-AZ deployment for high availability
2. Data Encryption
- In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections.
- At Rest: All data stored in our databases and file systems is encrypted using AES-256 via AWS KMS (Key Management Service)
- Sensitive Data: Phone numbers, personal identifiers, and authentication tokens receive additional encryption layers
3. Authentication Security
- OTP-Based Login: Phone number verification via one-time passwords — no permanently stored passwords
- Google OAuth: Optional social login using Google's secure OAuth 2.0 protocol
- JWT Tokens: Short-lived access tokens (15-minute expiry) with rotating refresh tokens (30-day maximum lifetime)
- Device Fingerprinting: Used for suspicious activity detection and multi-account prevention
- Rate Limiting: OTP requests and login attempts are rate-limited to prevent brute-force attacks
4. Access Control
- Role-based access control (RBAC) for all internal systems
- Principle of least privilege enforced across all team members and services
- All administrative access requires multi-factor authentication (MFA)
- All access events are logged and auditable
- Production data access is restricted and requires explicit approval
5. Application Security
- Input validation and sanitization on all user inputs
- Parameterized queries to prevent SQL injection
- CSRF protection on all state-changing operations
- Content Security Policy (CSP) headers
- Dependency vulnerability scanning in CI/CD pipeline
- Regular code security reviews
6. Monitoring & Threat Detection
- Real-time monitoring of platform health, error rates, and anomalous activity
- Automated alerting for security events and suspicious patterns
- Fraud detection systems for market manipulation and multi-accounting
- Comprehensive audit logging for all critical operations
7. Incident Response
We maintain a documented incident response plan with defined severity levels:
- Critical: Active data breach or system compromise — immediate response, user notification within 72 hours
- High: Vulnerability with potential for exploitation — response within 4 hours
- Medium: Security deficiency without active exploitation — response within 24 hours
- Low: Minor security improvement — addressed within 7 days
8. Responsible Disclosure
We encourage security researchers to responsibly disclose vulnerabilities. If you discover a security issue:
- Email details to security@thepredictx.com
- Include steps to reproduce the vulnerability
- Allow us reasonable time (90 days) to address the issue before public disclosure
- Do not access, modify, or delete other users' data
We commit to acknowledging reports within 48 hours and providing status updates throughout the investigation.
9. Data Protection Compliance
Our security practices are designed to comply with:
- DPDPA 2023 (India): Data localization, consent management, breach notification
- GDPR (EU/EEA): Data protection by design, privacy impact assessments, cross-border transfer safeguards
- IT Act 2000 (India): Reasonable security practices as prescribed under Section 43A
Contact
Security concerns: security@thepredictx.com
Privacy & data protection: privacy@thepredictx.com