Security

• All data in transit is encrypted with TLS 1.3 minimum. TLS 1.0 and 1.1 are disabled.
• All data at rest is encrypted using AES-256 on AWS managed keys (AWS KMS).
• OCPP connections use WSS (WebSocket Secure) with mutual TLS for DC fast chargers.
• Payment data is tokenised — we never store full card numbers or UPI IDs.
• API authentication uses OAuth 2.0 with short-lived (1-hour) access tokens and rotating refresh tokens.
• CSMS sessions use signed JWTs with 15-minute expiry and refresh rotation.
• All infrastructure is deployed in AWS ap-south-1 (Mumbai) with multi-AZ redundancy.

• CSMS dashboard and rider app undergo OWASP Top 10 review on every major release.
• Dependency scanning via Dependabot and Snyk on all repositories — critical CVEs patched within 24 hours.
• Static analysis (SAST) integrated into CI/CD pipeline — builds fail on critical findings.
• Dynamic application security testing (DAST) run quarterly by our internal AppSec team.
• Secrets are managed via AWS Secrets Manager — no credentials in source code or environment files.
• All production deployments require two-person review (4-eyes rule) and are approved by a senior engineer.
• RBAC is enforced at every API layer — operators cannot access other operators' data; vendors cannot access other vendors' data.

• Charger firmware is signed with Magma's private key. Unsigned firmware cannot be installed via OTA or physical interface.
• Secure boot is enabled on all MX-EV (DC variant) and MX-D controllers.
• OCPP passwords are unique per charger, rotated on commissioning and every 6 months.
• Physical tamper detection alerts the CSMS and disables the unit until a field engineer clears the alert.
• USB and debug ports on the charger controller are disabled in production firmware.
• SIM cards are locked to Magma's CSMS endpoint — they cannot be redirected to a third-party server.

• All staff complete security awareness training quarterly.
• Production access requires hardware MFA (YubiKey). Shared credentials are not permitted.
• Database access by engineers requires a just-in-time (JIT) approval workflow — no standing production access.
• All admin actions in CSMS are logged to an immutable audit trail (AWS CloudTrail + S3 Object Lock).
• Security incidents are classified P1–P4. P1 incidents (data breach or service compromise) are escalated within 15 minutes 24×7.
• We maintain a tested incident response plan reviewed annually. Last tabletop exercise: January 2026.

To report a vulnerability:

• Email security@magmapro.in with details of the vulnerability, steps to reproduce, and your assessment of severity.
• Encrypt sensitive details using our PGP key (fingerprint: A1B2 C3D4 E5F6 7890 — available at magmapro.in/.well-known/pgp).
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Do not access, modify or destroy data belonging to other users.
• Give us a reasonable time to investigate and fix before public disclosure (we aim to respond within 72 hours and fix critical issues within 14 days).

We do not pursue legal action against researchers who act in good faith under this policy. We acknowledge all valid reports and credit researchers (with consent) in our Hall of Thanks.

Scope includes: csms.magmapro.in, api.magmapro.in, ocpp.magmapro.in, the Magma rider Android app, and MX-EV charger firmware (physical access required for hardware reports).

Out of scope: social engineering, physical attacks on chargers in the field, denial-of-service attacks, and spam.

For general security questions or to report a vulnerability:

Security team: security@magmapro.in
Emergency (active breach): +91 80 4567 1999 (24×7 NOC)
PGP fingerprint: A1B2 C3D4 E5F6 7890 1234 5678 9ABC DEF0 1234 5678