Security is
an engineering discipline.
A short, honest description of how we protect the systems that hold your data — and a clear invitation for researchers to help us make them better.
1. Our security posture, briefly
We are a small, focused engineering team. Security here is a discipline shaped by three convictions:
- Least data. We collect only what a feature needs, and we design so that data no longer needed can be forgotten.
- Least privilege. No engineer has standing access to production data. Access is granted for a specific task, is logged, and expires.
- Trust boundaries in code. Where we can express a security rule as code — row-level security, signed URLs, hashed tokens — we do, so the guarantee does not depend on humans remembering to enforce it.
2. Encryption
- In transit. All traffic to our public surfaces uses TLS 1.2 or higher. HSTS is enforced with
max-age=63072000; includeSubDomains; preload. Certificates auto-renew. - At rest. Database volumes and object storage are encrypted at rest by the underlying cloud provider using AES-256 or provider-managed equivalents.
- Application-layer. Where sensitive fields warrant it (KYC documents, identity verification artefacts), we apply application-layer encryption or reference tokens on top of the storage-level encryption.
- Passwords & secrets. User authentication tokens are hashed using well-known constructions. Static secrets live in a managed secret store, not in source code.
3. Infrastructure
At a high level, without exposing specifics that would benefit an attacker:
- Website and admin surfaces are hosted on a modern edge platform with automatic DDoS mitigation, WAF, and audited access.
- Application data is stored in a managed Postgres offering with point-in-time recovery, encrypted backups, and geographic replication where the product design calls for it.
- Real-time audio and video sessions are relayed via a licensed telecommunications platform under a written agreement; media is not persisted beyond what the product feature requires.
- Payments are processed by regulated payment partners (e.g. Cashfree) under written data-processing terms. We do not store card numbers.
- All production surfaces sit behind role-based access with mandatory multi-factor authentication.
4. Application security
- Row-level security on every database table that carries personal data — the user identity is enforced by the database, not by the application layer.
- Strong transport headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy on every response.
- Dependency hygiene: automated dependency updates with security patch alerts and manual review for any upgrade that touches the trust boundary.
- Secrets scanning on every push to the code repository, with pre-commit hooks configured to reject leaked credentials.
- Environment isolation: development, staging, and production run in separate accounts with separate credentials and separate data.
5. Operational security
- Audit logs are retained for a reasonable period appropriate to the surface.
- Incident response is owned personally by the founder, with a documented playbook for containment, communication, and post-mortem.
- We aim to notify affected users of a personal-data breach without undue delay, and in line with the notification obligations of the DPDP Act 2023, EU/UK GDPR, and other applicable laws.
- We do not use production data in development or testing.
- Backups are encrypted, versioned, and restore-tested on a periodic basis.
6. Frameworks we align to
NextSpace Labs is a young company; we do not yet hold any specific formal security certification. Our engineering practices are shaped by, and aim to align with, the following frameworks:
- OWASP Top 10 and OWASP ASVS as a baseline for application security controls.
- NIST SP 800-53 selected controls appropriate to our scale.
- The CIS Benchmarks for the platforms we deploy on.
- The security expectations of India’s DPDP Act 2023, the IT Act 2000, and the IT Rules 2021.
As we mature we intend to seek formal attestation for the surfaces where it will provide meaningful assurance to users and partners. When we do, we will publish the scope and the report’s status here.
7. Responsible disclosure — how to report a security issue
We welcome and appreciate reports from independent security researchers. If you believe you have found a security vulnerability affecting any NextSpace Labs surface, please tell us before you tell anyone else.
7.1 How to reach us
- Preferred contact: security@nxtspacelabs.com
- Backup contact: connect@nxtspacelabs.com with the subject line “Security Report”.
- If you prefer to encrypt your report, request our current PGP key at the address above and we will send it in reply.
7.2 What to include
- The surface affected (URL, host, mobile app version).
- A clear description of the vulnerability and its impact.
- Steps that reliably reproduce the issue, and any proof-of-concept code or screenshots.
- Whether the issue has been disclosed to anyone else, and any timeline you have committed to.
- Whether you would like public credit if we publish an advisory.
7.3 What we commit to
- Acknowledge receipt of your report within a reasonable timeframe, typically three business days.
- Investigate the report in good faith, keep you informed on progress at reasonable intervals, and share a triage outcome.
- Fix confirmed issues on a timeline commensurate with severity, and coordinate the fix window with you where possible.
- Credit researchers publicly, with permission, once a fix is in place — on a dedicated researcher acknowledgements page as reports accumulate.
- NextSpace Labs does not currently operate a paid bug bounty. We will send a written acknowledgement and, at our discretion, a token of thanks for high-impact reports. This is a stated intention and not a legal obligation.
7.4 Safe harbour
NextSpace Labs will not initiate legal action against researchers who, acting in good faith:
- Report a vulnerability to us privately, using a contact method above;
- Give us a reasonable period to investigate and remediate before any public disclosure;
- Access only data that is strictly necessary to demonstrate the issue, and never store, alter, delete, or transfer such data;
- Do not degrade the availability of the Services for other users (no denial-of-service, no brute-force at scale, no bulk data exfiltration);
- Do not use the vulnerability to enrich themselves or a third party;
- Comply with all applicable laws.
To the extent your research is consistent with this policy, we will consider it authorised access under India’s Information Technology Act, 2000, the U.S. Computer Fraud and Abuse Act, and equivalent laws in other jurisdictions. This safe harbour is a commitment by NextSpace Labs; it does not bind third parties, and it does not authorise research against systems we do not operate.
7.5 Out of scope
The following report categories are typically closed as informational unless you can demonstrate a real, exploitable impact:
- Missing security headers on non-authenticated endpoints without a concrete attack vector.
- Missing SPF, DKIM, DMARC, or CAA records without demonstrated abuse.
- Reports produced by unauthenticated automated scanners with no manual verification.
- Denial-of-service, resource-exhaustion, or rate-limit findings.
- Version-disclosure or fingerprinting reports.
- Social engineering of NextSpace Labs staff, users, or partners.
- Physical attacks against our offices or infrastructure.
- Reports against third-party services we do not operate.
8. Data-breach notification
If a confirmed personal-data breach occurs and creates a risk to the rights and freedoms of affected users, we will notify:
- The Data Protection Board of India, in the manner and within the timelines set by the DPDP Act 2023 and rules made under it;
- The applicable supervisory authority under GDPR (typically within 72 hours of becoming aware);
- Affected individuals directly, in clear language, with practical guidance on any steps they can take;
- Any regulator or payment scheme where a notification obligation applies.
9. Contact
All matters covered on this page:
- Security reports: security@nxtspacelabs.com
- General compliance: connect@nxtspacelabs.com
- Postal: NextSpace Labs Private Limited, Door No 1-60/8/A & B, 3rd Floor, KNR Square, Opp. The Platina, Gachibowli, Kondapur, Hyderabad — 500 032, Telangana, India
Version history
- Version 1.0 — effective 4 July 2026 — first publication.