The vault, the keys, and the audit trail.
Robnu holds your marketplace session tokens. We treat them the way a payments processor treats card data — encrypted-at-rest with per-seller DEKs, master keys in AWS KMS, access logged on every read. India data residency where it matters; DPDP-aligned.
- Per-seller DEK + AWS KMS master key + access logs on every read.
- Marketplace passwords never reach Robnu — extension does the handshake locally.
- DPDP-aligned, GDPR-aligned for EU sellers, India data residency where it matters.
DEK-per-seller
Every seller gets their own Data Encryption Key. The DEK is sealed under a master key held in AWS KMS — Robnu servers cannot decrypt your tokens without going through KMS, which logs every access.
Database + R2
MariaDB encryption-at-rest enabled at the disk level; R2 server-side encryption on every uploaded asset. Backups encrypted with a separate KMS key.
Short-lived JWT
Robnu issues short-lived JWTs (15-minute access, 30-day refresh). Refresh tokens rotate on use. Sessions hard-expire on extension de-install.
Every credential read
Every decrypt of a marketplace token is logged with who/what/when. Sellers can read their own audit trail. Auditors see the org-level trail.
DPDP-aligned
Personal data is stored in regions with adequate-protection status under DPDP. We don't move PII outside India for processing.
Responsible disclosure
Found a vulnerability? Email [email protected]. Acknowledged in 24h, fixed and disclosed within the standard window.