Ratha by TechOnWheels RemoteWork
Security
How we protect your data, your LinkedIn connection, and your payments. Last updated: 6 July 2026.
Who we are. Ratha is operated by Himkar International, a registered partnership firm in Rajasthan, India. TechOnWheels RemoteWork is the brand name under which Himkar International operates, and Ratha is its product.
Architecture
- Ratha runs on Vercel's serverless platform, with data stored in Supabase (managed PostgreSQL). Both are established providers with their own audited security programs.
- All traffic is encrypted in transit with TLS. Data is encrypted at rest by our database provider.
- Every account's data is isolated per user at the application layer; database access from the application uses scoped service credentials, and row-level security is enabled on our tables.
Your LinkedIn connection
- We use LinkedIn's official OAuth 2.0 flow. We never see or ask for your LinkedIn password.
- Access tokens are stored encrypted and used only to publish content you have approved, to your own profile or page.
- Disconnecting LinkedIn (from Ratha, or from LinkedIn's Permitted Services settings) revokes our access, and we delete the stored tokens.
- We request the minimum scopes needed. We do not scrape LinkedIn, do not access other members' data, and do not build contact databases.
Payments
- Payments are processed by Razorpay, a PCI DSS compliant gateway. Your card and bank details go directly to Razorpay; our servers never receive or store them.
- Webhooks from Razorpay to Ratha are verified with cryptographic signatures before any account change is made.
Secrets and access
- API keys and credentials live in server-side environment variables, never in client code or our repository.
- Administrative endpoints require secrets; user-facing endpoints require an authenticated session.
- Rate limiting protects generation, research, and email endpoints from abuse.
Data minimization by design
- Our research features work at the level of companies and public job-title roles. We deliberately do not collect, store, or output individuals' personal contact details (emails, phone numbers).
- We collect only the data needed to run your account, and you can request deletion at any time (see the Privacy Policy).
- Under our commercial API terms, your inputs are not used to train third-party AI models.
Email security
- Transactional email (posts, invoices, dossiers) is delivered through Brevo with SPF and DKIM configured on our sending domain.
- Invoice and receipt PDFs are generated on our servers and sent only to the account's registered email address.
Incident response
If we become aware of a security incident affecting your personal data, we will investigate, contain it, and notify affected members and authorities as required by applicable law, including India's DPDP Act, without undue delay.
Responsible disclosure
Found a vulnerability? Please tell us before telling anyone else. Email info@techonwheels.in with the subject "Security disclosure". We acknowledge reports within 48 hours, will not pursue good-faith researchers, and will credit you if you wish once the issue is fixed.