← Back to CaratOS
Security
How your firm's data is handled and protected.
Authentication & access
Sign-in is token-based (JWT), so a session is never a raw password sitting in a cookie. Staff accounts get scoped permissions set by the firm's admin — for example, a counter-sales role can use Sales Mode and inventory without seeing cash flow totals or firm-wide settings.
Data handling
- All firm data — inventory, invoices, CRM, cash flow, karigar jobs, kitty schemes — is cloud-synced, not stored only on one device.
- GST-relevant fields (PAN, invoice totals, CGST/SGST/IGST splits) are computed and stored per compliance requirements, not exposed beyond what the invoicing flow needs.
- Shopify sync only reads and writes the catalogue/stock fields required to keep inventory in sync — it does not request unrelated store permissions.
Multi-tenant isolation
Each firm's data is scoped to its own account — inventory, customers, and financial records for one firm are not visible to another, even though CaratOS runs as shared infrastructure across firms.
Reporting a concern
If you believe you've found a security issue, email chirant@izaragems.com directly rather than filing it publicly. We'll acknowledge and follow up.
This page describes current platform practices and will be extended as CaratOS adds features like data export, audit logs, and formal compliance certifications.