Trust center

Security at Spexx

A plain account of how we authenticate people, control access, protect data, and keep records honest. No vague claims.

Spexx runs the parts of a business that cannot be wrong: who has access, what they can do, and where the money went. The practices below are how we keep that trustworthy. For our regulatory posture, see the compliance page; for how we handle personal data, read the privacy policy.

Authentication

Every person signs in once with a single Spexx ID. Each product authenticates against that identity through OIDC single sign-on, with tokens signed using RS256. There are no shared passwords between products and no per-product credentials to leak. Browser logins use the PKCE flow, so an intercepted authorization code cannot be replayed.

Access control

Access is role-based and scoped to a branch. A person sees and changes only what their role permits, and only within the branches they belong to. New accounts start with the least privilege needed to do their job; broader access is granted deliberately, not by default. Administrative authority and clinical identity are tracked separately, so a manager does not silently gain a practitioner's permissions.

Data protection

Data is encrypted in transit over TLS and encrypted at rest in our databases. Our handling of personal data is aligned with India's Digital Personal Data Protection Act, and customer data is stored on infrastructure with data residency in India. We collect what a feature needs and no more.

Integrity

Correctness is enforced by the database, not just the application. Constraints and foreign keys prevent invalid records from being written at all. Financial entries live in an append-only, double-entry ledger: posted transactions are never edited in place, and corrections are recorded as new offsetting entries. A full audit trail records who changed what and when.

Payments

Card payments are processed by Razorpay, a PCI-compliant payment provider. Card numbers and related details are entered directly with the provider and never touch our servers. We store a payment reference, an amount, and a status, so we can reconcile a charge without ever holding card data.

Reliability

Databases are backed up on a regular schedule so records can be restored after a failure. Systems are monitored for availability and errors, and alerts let us respond before small problems become outages. Our service commitments are described in the service level agreement.

Responsible disclosure

If you believe you have found a security issue, please tell us before disclosing it publicly. Email security@spexx.in with steps to reproduce. We will acknowledge your report, keep you updated as we investigate, and credit you once the issue is resolved if you would like.

Have a question about our controls, or need documentation for a review? We are happy to walk through the details.