Security is a product feature.
From KYC-verified professionals to Visit Shield at your door, DigiKaragir is built so that trust never depends on luck. Here is how we protect the platform — and how to reach us if you find a weakness.
Security practices in production today
Encrypted in transit
All traffic uses HTTPS with modern TLS (1.2+) and HSTS. Plain HTTP is redirected, never served.
Identity-verified providers
Every professional completes government-ID KYC with live face match through an independent verification partner before their first job.
Visit Shield at the door
A door PIN verified only within a geofence of your booking location — arrival cannot be faked from elsewhere, and every attempt is recorded.
Payments handled by Razorpay
Card and UPI details are processed by Razorpay, a PCI-DSS compliant gateway. DigiKaragir never stores your payment instrument details.
Signed webhooks & short-lived sessions
Payment and KYC callbacks are cryptographically signature-verified. App sessions use short-lived tokens with rotating refresh and server-side revocation.
Rate-limited & least-privilege APIs
Sensitive endpoints are rate-limited at multiple layers, and every API call is checked against the caller's own resources — customers and providers can only ever see their own data.
Found a vulnerability? Tell us first.
We welcome good-faith security research. We do not currently run a paid bounty program, but we take every report seriously and act fast.
Email us privately
Send details to support@digikaragir.com with the subject "Security report". Include steps to reproduce, the affected endpoint or screen, and the impact you believe it has.
Give us a fair window
We acknowledge reports within 48 hours and ask for up to 90 days to investigate and fix before any public disclosure.
We fix, verify and credit
Verified issues are fixed with priority. With your permission, we thank researchers by name once a fix has shipped.
Ground rules for good-faith research
- • Never access, modify or delete data that is not your own test data.
- • No denial-of-service, spam, social engineering or physical attacks.
- • Do not run automated scanners against production booking or OTP endpoints — they send real SMS and reach real providers.
- • Reports made in good faith under these rules will not be met with legal action from us.
Machine-readable contact: /.well-known/security.txt