Why Firecracker microVMs instead of Docker?

Each scan runs in a dedicated Firecracker microVM — the same isolation technology AWS Lambda uses. Unlike Docker containers, microVMs provide hardware-level isolation, preventing any cross-scan data leakage. Boot time is ~125ms, so there's no performance penalty.

Why a queue-based architecture?

Scans are CPU and network intensive. A Redis-backed queue (BullMQ) ensures fair scheduling, automatic retries on failure, and the ability to scale scan workers horizontally without touching the API layer. It also enables priority lanes for paid tiers.

Why Claude API for report generation?

Raw vulnerability data from tools like Nuclei and OWASP ZAP is technical noise for SMB decision-makers. Claude API reasons about findings in context — correlating vulnerabilities, mapping to DPDP sections, and generating plain-language remediation that a non-technical founder can act on.

How is scan data retained and secured?

Scan artifacts are encrypted at rest (AES-256) and purged after 90 days by default. Reports are stored in the customer's account with end-to-end encryption. We never share scan data with third parties. SOC 2 Type II certification is on our 2026 roadmap.

Transparency

Security at Bachao.AI

How we handle your data, where it's stored, and what we send to AI providers.

Data Residency

Scan data

Stored in Turso database, ap-south-1 (Mumbai) region.

Scan execution

Firecracker microVMs on Indian infrastructure.

Reports & findings

Encrypted at rest (AES-256), stored in India.

Backups

Replicated within Indian data centers only.

Data retention

Scan artifacts purged within 72 hours. Reports retained for 12 months on paid plans.

AI Processing — The Claude API Question

We use Anthropic's Claude API to enhance scan reports, generate remediation guidance, and map findings to compliance frameworks. Here's exactly what happens:

!What IS sent to Claude API

Vulnerability finding titles, descriptions, and severity (NOT the raw scan data)
Anonymized code snippets for fix generation (variable names and paths redacted)
Compliance framework mapping queries

✓What is NOT sent to Claude API

Your source code
Your credentials or API keys
Customer PII or personal data
Full HTTP request/response bodies from scans
RASP agent telemetry (processed entirely on our infrastructure)

Anthropic's data handling

Anthropic does NOT train on API inputs (per their API Terms of Service)
API data is not stored beyond the request lifecycle
Anthropic is SOC 2 Type II certified
Processing occurs on US infrastructure

For enterprises requiring zero-external-AI

Contact us for on-premise deployment options
We can route AI processing through Azure OpenAI (India region) on request

Encryption

Layer	Standard
Data at rest	AES-256 (Turso encrypted storage)
Data in transit	TLS 1.3 (HSTS preload, 63072000s)
API keys	SHA-256 hashed (never stored in plaintext)
Scan configs	AES-256-GCM encrypted per-record
Passwords	SHA-256 hashed with per-record salt

Subprocessors

Subprocessor	Purpose	Location	Certification
Turso (LibSQL)	Database hosting	India (ap-south-1)	SOC 2 Type II
Vercel	Web hosting & edge	Global CDN, origin in US	SOC 2 Type II
Anthropic (Claude)	AI report enhancement	US	SOC 2 Type II
Resend	Email delivery	US	SOC 2 Type II
Cashfree	Payment processing	India	PCI DSS Level 1
Upstash	Rate limiting (Redis)	Global	SOC 2 Type II

Security Practices

Our own platform is pen-tested

We run our own VAPT tools against bachao.ai quarterly.

Dependency scanning

Automated vulnerability checks on all dependencies.

Access control

Principle of least privilege, MFA on all infrastructure.

Incident response

Internal IR process for platform security incidents.

Vulnerability disclosure

Report security issues to security@bachao.ai

Certifications & Partner Network

Bachao.AI delivers the technology platform. For certifications requiring empaneled auditors, we partner with certified firms.

Certification Delivery Model

Certification	Delivered By	How It Works
CERT-In empaneled VAPT	Partner firm (empaneled)	Bachao.AI runs the scans, partner firm reviews + signs the report
SOC 2 Type II	Partner audit firm	Bachao.AI automates evidence collection, partner conducts the audit
ISO 27001	Partner certification body	Bachao.AI maps controls + collects evidence, partner certifies
PCI DSS QSA	Partner QSA firm (e.g., SISA)	Bachao.AI scans + generates evidence, QSA validates + certifies
SEBI CSCRF audit	Partner empaneled auditor	Bachao.AI automates assessment, partner signs NSE-format report

This model gives you enterprise-grade certification at 50-70% lower cost — the AI does the heavy lifting, the certified firm provides the stamp.

Important: Bachao.AI is not a certification body, audit firm, or legal advisor. We provide the AI-powered technology platform for security scanning, evidence collection, and compliance mapping. Certifications (SOC 2, ISO 27001, PCI DSS, CERT-In audits) are delivered by our network of certified partner firms who review, validate, and sign the audit reports.

Interested in becoming a certified partner firm? Join our partner network →

Data Processing Agreement

Enterprise customers can request a Data Processing Agreement (DPA) covering DPDP Act requirements. Contact ceo@bachao.ai.

Service Level Agreement

For details on platform uptime, scan delivery times, support response times, and SLA credits, see our Service Level Agreement.

Questions about our security practices?

Loading…