ChallanWala CMS
Log inBook Free Demo
Trust & Safety

Security at ChallanWala

Fleet data — vehicle registrations, driver records, and payment information — is sensitive. Here is what we actually do to protect it.

Hosted in India
AWS Mumbai (ap-south-1)
HTTPS everywhere
HSTS enforced on all endpoints
Bot protection
Cloudflare Turnstile on all auth flows
Passkeys & TOTP
Phishing-resistant 2FA options
Role-based access
6 distinct permission levels
Secure headers
CSP, X-Content-Type-Options & more

Our Approach

We try to keep this page factual — only covering security measures that are actually in place. If you have specific security questions not answered here, please reach out directly.

Infrastructure

The ChallanWala platform runs on AWS infrastructure in the Mumbai region (ap-south-1). All customer data — including files, documents, and media — is stored in S3 buckets in the same region. Data does not leave India.

Authentication

We support several authentication methods:

Email & password

Standard login with Cloudflare Turnstile bot protection on every attempt.

Phone OTP

One-time passcode sent to your registered mobile number, also protected by Turnstile.

TOTP (authenticator app)

Time-based one-time passwords compatible with Google Authenticator, Authy, and similar apps. Can be enrolled as a second factor.

Passkeys (WebAuthn)

Hardware-bound, phishing-resistant authentication using your device biometrics or security key. The most secure option we offer.

Sessions are managed with short-lived JWT tokens and a separate refresh token. Security-sensitive actions (such as changing your password or managing 2FA devices) require re-authentication.

Access Controls

The platform uses role-based access control. Each user is assigned one of six roles, and access to features and data is scoped strictly to that role. The roles are:

RoleScope
Super AdminPlatform-wide administration
Organisation HeadFull access within their organisation
ManagerChallans, vehicles, and reports for assigned locations
AgentChallan operations and wallet for their account
Zonal HeadOversight of a geographic zone and its organisations
Field OfficerOrganisation-level field operations

Data in Transit

All communication between your browser and the ChallanWala platform is encrypted using HTTPS. We enforce HTTP Strict Transport Security (HSTS) with a one-year max-age, so your browser will never connect to the platform over an unencrypted connection.

We also set the following headers on every response to reduce the attack surface of the web application:

  • Content Security Policy (CSP) — restricts which scripts, frames, and resources can load
  • X-Content-Type-Options: nosniff — prevents MIME-type sniffing
  • Referrer-Policy: origin-when-cross-origin
  • Permissions-Policy — disables camera, microphone, and geolocation access

Responsible Disclosure

If you discover a security vulnerability in the ChallanWala platform, please report it to us privately before disclosing it publicly. We appreciate the help and will work to address valid issues promptly.

Send a description of the issue, steps to reproduce, and the potential impact to info@challanwala.com with the subject line Security Report.

Contact

For any security questions or concerns:

ChallanWala Technologies Pvt. Ltd.
Email: info@challanwala.com