Legal · Security
Security Disclosure Policy
Last updated: July 2026
How we approach security, and how to responsibly report a vulnerability.
01
Our approach to security
Muqira is built on Cloudflare's infrastructure (Workers, D1, R2, KV, Queues). We apply the following practices across our products: • All traffic is encrypted in transit (TLS 1.2+) • Sensitive credentials (third-party API keys, connector OAuth tokens) are encrypted at rest • Every request is authenticated server-side against live session and organisation state — access decisions are never trusted from client-supplied data alone • Every organisation's data (workflows, conversations, connectors, billing, usage) is isolated by organisation ID at the database query level • Payment processing is handled by Razorpay; Muqira does not store full card details • We apply standard security headers (Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options) across our web properties
02
Reporting a vulnerability
If you believe you've found a security vulnerability in any Muqira product, we want to hear from you before it becomes a problem for our users. Email [email protected] with: • A description of the vulnerability and its potential impact • Steps to reproduce it, including any proof-of-concept • The product/URL/endpoint affected • Your contact information for follow-up We aim to acknowledge reports within 3 business days and provide a resolution timeline once we've validated the issue.
03
Responsible disclosure guidelines
To help us protect our users while you help us find issues, please: • Give us a reasonable opportunity to investigate and fix an issue before disclosing it publicly • Avoid accessing, modifying, or deleting data belonging to other users or organisations beyond what's strictly necessary to demonstrate the vulnerability • Do not perform testing that could degrade service for other users (e.g. sustained high-volume automated scanning, denial-of-service testing) • Do not use social engineering, phishing, or physical-access attacks against our staff or infrastructure • Report the issue privately to [email protected] rather than a public forum, issue tracker, or social media, until we've had a chance to address it We do not currently operate a paid bug bounty program, but we publicly and sincerely credit researchers (with permission) who report valid issues responsibly.
04
Safe harbour
We will not pursue legal action against, or refer to law enforcement, any researcher who discovers and reports a vulnerability in good faith, in accordance with the guidelines above, and does not exploit it beyond what is necessary to demonstrate the issue.
05
Scope
In scope: muqira.com and its subdomains, our API, and our first-party products (Muqira AI Studio, Muqira Flow, SEOventra, AlShorty, Documateo). Out of scope: third-party services we integrate with (report those directly to the relevant provider), social engineering against Muqira staff, and physical security of our infrastructure providers.
06
Contact
Email: [email protected] Muqira Technologies Mumbai, Maharashtra, India


