Security — TOD 360 AI

Security is fundamental to TOD 360 AI. Your data — including sensitive employee activity, HR records, and payroll information — is protected at every layer of our infrastructure.

Security Pillars

🔒

Encryption in Transit

All communication is encrypted using TLS 1.2/1.3. HTTPS is enforced on every endpoint — no unencrypted connections are accepted.

🛡️

Encryption at Rest

Passwords are hashed with bcrypt (cost factor 12). Sensitive tokens and API keys are stored encrypted. Database backups are encrypted.

🏗️

Cloud Infrastructure

Hosted on AWS (Mumbai region — ap-south-1). Data stays within India. We use VPC isolation, private subnets, and security groups with minimum-access rules.

🎭

Access Control

Role-based access (Owner, Admin, Manager, Employee). Each role sees only what it needs. All admin actions are logged in an immutable audit trail.

🔑

Authentication Security

Brute-force protection, session fixation prevention, CSRF tokens on all state-changing requests, and secure session management with HTTP-only cookies.

💳

Payment Security

All payments processed by Razorpay (PCI-DSS Level 1 compliant). We never store full card numbers. Webhook signatures are verified cryptographically.

🔍

Input Validation

All database queries use parameterised prepared statements — no raw SQL string concatenation. All user input is validated and sanitised server-side.

📋

Audit Logging

Administrative actions (login, data export, configuration changes, impersonation) are recorded with timestamps, IP addresses, and actor identity.

Infrastructure Security

Network

All servers run in an AWS VPC with private subnets
SSH access to servers is restricted to specific IP addresses via security groups
Public access is limited to HTTPS (port 443) and HTTP redirect (port 80)
Database is not publicly accessible — only accessible from application servers

Application Server

Ubuntu LTS with automatic security updates enabled
Apache web server with security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Content-Security-Policy)
PHP running as a restricted user (www-data)
File uploads stored outside the web root where applicable
Error messages suppressed in production — errors logged server-side only

Database

MySQL 8.0 with dedicated application credentials (minimum privilege principle)
No direct internet access to the database port
Daily automated backups with 30-day retention
Encrypted backup storage

Desktop Agent Security

The Windows desktop monitoring agent is designed with privacy and security in mind:

Authenticated API calls: The agent authenticates with a per-user API token — no credentials are stored in plaintext
Minimal permissions: The agent runs with standard user privileges — no admin/root access is required or requested
Encrypted uploads: All data sent from the agent to the server is over HTTPS
No keystroke logging: The agent records keyboard/mouse activity counts only — keystrokes and content are never captured
Visible to the user: A system tray icon is always visible when monitoring is active; employees are never covertly monitored
Agent settings served securely: Tracking policies (screenshot frequency, monitoring scope) are fetched from the server — no local config files that can be tampered with

Multi-Tenant Data Isolation

TOD 360 AI is a multi-tenant platform. Data isolation between organisations is enforced at every layer:

Every database table contains an org_id column; all queries are filtered by the authenticated organisation's ID
API tokens are scoped to a specific organisation — cross-tenant access is impossible by design
Admin sessions are bound to a specific org_id — superadmin impersonation is logged and auditable
File uploads (screenshots, documents) are stored in organisation-specific paths

Shared Responsibility Model

Security is a shared responsibility between RDBYTES and our customers.

We are responsible for	You are responsible for
Infrastructure and server security	Strong passwords and credential management
Application-level security (auth, CSRF, SQL injection prevention)	Promptly revoking access for departed employees
Data encryption in transit and at rest	Securing admin account credentials
Regular security patches and updates	Reporting suspicious activity to us
Backup and disaster recovery	Compliance with local monitoring and privacy laws
Payment processing security (via Razorpay PCI-DSS)	Obtaining employee consent before monitoring

Incident Response

In the event of a security incident that affects your data:

We will notify affected customers within 72 hours of becoming aware of the breach
Notification will include: nature of the breach, data affected, steps taken, and recommended actions
We will work with affected customers to mitigate impact and prevent recurrence

Responsible Disclosure

If you discover a security vulnerability in TOD 360 AI, we ask that you disclose it responsibly. Please email us at support@tod360ai.com with:

A clear description of the vulnerability
Steps to reproduce
Potential impact

We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days. We ask that you do not publicly disclose the vulnerability until we have addressed it.

We do not currently offer a bug bounty programme, but we deeply appreciate responsible security research and will acknowledge contributions publicly (with your permission).

Security Contact

For security concerns, vulnerability reports, or security-related questions:

Email: support@tod360ai.com
Subject line: [SECURITY] Your issue description
Company: RDBYTES, 5/129, 'A' Type, 65th Street, Sidco Nagar, Villivakkam, Tamil Nadu, Chennai 600049

Security at TOD 360 AI