verified_user Security Architecture Whitepaper

Security & Zero-Retention Architecture

A technical guide to how Prokolpo Sathi processes government forms and documents safely on the client side without risk of storage or leaks.

terminal

Client-Side Sandbox

All document scaling, cropping, merging, and rendering operations use standard browser components (HTML5 Canvas API, FileReaders, and local WebAssembly binaries). No binary code is downloaded outside the web sandbox, ensuring your device's core operating environment is untouched.

cloud_off

Zero Network Leakage

Your high-resolution Aadhaar cards, passport photographs, and signatures are parsed locally. Because there is no file upload request dispatched during these operations, data leakage over the network is mathematically impossible.

key

Encrypted Session Tokens

User profile data and usage statistics are secured using encrypted cookies and state tables. Communication with our authentication APIs utilizes SHA-256 signatures to safeguard account integrity against hijack attempts.

memory

Volatile Ephemeral Memory

For tasks where local browser engines lack capability (e.g. background removal), files are sent via TLS 1.3 to a secure RAM-only parser. Once processed, the output is returned and the memory registers are immediately overwritten, leaving zero footprints.

Deep Technical Review

File parsing logic flow

When an applicant feeds a file (for example, a 5MB image of a signature) into a Prokolpo Sathi tool:

  1. The browser intercepts the file selection event via standard HTML5 file APIs, loading the file bytes into a local memory buffer (`ArrayBuffer` or `Blob`).
  2. A local Canvas instance parses the pixel grid. Adjustments, cropping, and aspect scaling happen directly using the hardware acceleration of your local device.
  3. A binary search compression loop (implemented in vanilla JavaScript) dynamically recompresses the image, generating localized blobs until it targets the exact size range specified (e.g. under 50KB).
  4. The browser triggers a local file download, saving the compiled outputs. At no point in steps 1-4 is any HTTP file transmit hook triggered.

Secure Third-Party Infrastructure

Any integration modules operate strictly over isolated endpoints:

  • Razorpay / Payments: Transaction verification triggers encrypted webhook logic on a hardened secure server, leaving card specifics fully out of scope.
  • Authentication: Google OAuth2 credentials transit exclusively inside HTTPS headers with HTTP-only cookie configuration to mitigate XSS profile risks.