Skip to content
Security

Security is a product feature.

From KYC-verified professionals to Visit Shield at your door, DigiKaragir is built so that trust never depends on luck. Here is how we protect the platform — and how to reach us if you find a weakness.

How we protect you

Security practices in production today

Encrypted in transit

All traffic uses HTTPS with modern TLS (1.2+) and HSTS. Plain HTTP is redirected, never served.

Identity-verified providers

Every professional completes government-ID KYC with live face match through an independent verification partner before their first job.

Visit Shield at the door

A door PIN verified only within a geofence of your booking location — arrival cannot be faked from elsewhere, and every attempt is recorded.

Payments handled by Razorpay

Card and UPI details are processed by Razorpay, a PCI-DSS compliant gateway. DigiKaragir never stores your payment instrument details.

Signed webhooks & short-lived sessions

Payment and KYC callbacks are cryptographically signature-verified. App sessions use short-lived tokens with rotating refresh and server-side revocation.

Rate-limited & least-privilege APIs

Sensitive endpoints are rate-limited at multiple layers, and every API call is checked against the caller's own resources — customers and providers can only ever see their own data.

Responsible disclosure

Found a vulnerability? Tell us first.

We welcome good-faith security research. We do not currently run a paid bounty program, but we take every report seriously and act fast.

1

Email us privately

Send details to support@digikaragir.com with the subject "Security report". Include steps to reproduce, the affected endpoint or screen, and the impact you believe it has.

2

Give us a fair window

We acknowledge reports within 48 hours and ask for up to 90 days to investigate and fix before any public disclosure.

3

We fix, verify and credit

Verified issues are fixed with priority. With your permission, we thank researchers by name once a fix has shipped.

Ground rules for good-faith research

  • • Never access, modify or delete data that is not your own test data.
  • • No denial-of-service, spam, social engineering or physical attacks.
  • • Do not run automated scanners against production booking or OTP endpoints — they send real SMS and reach real providers.
  • • Reports made in good faith under these rules will not be met with legal action from us.

Machine-readable contact: /.well-known/security.txt