GoMalayalam · Security
GoMalayalam is built on four plain commitments. Your drafts stay yours. Your sign-in is yours. Your card never touches our servers. And if you ever want to walk away, your writing walks with you.
The commitments
Every other line on this page is mechanism. These are the outcomes, written the way we would want them written to us.
01
നിങ്ങളുടെ കരട്, നിങ്ങൾക്കു മാത്രം.
Every draft, every import, every usage record belongs to the account that created it. Access is enforced by the database engine itself. Not by application logic that could be bypassed. Your writing is private because the database refuses to return it to anyone else.
02
പേയ്മെന്റ് നിങ്ങളുടെ ബ്രൗസറിൽ നിന്ന് നേരിട്ട്.
Payments are handled by PCI DSS certified processors. The card entry form is theirs, not ours. Card numbers travel directly from your browser to the processor and never pass through GoMalayalam code or GoMalayalam servers. We only see the result, delivered as a signed, cryptographically verified webhook that confirms your subscription is active.
03
ലോഗിൻ സംരക്ഷണം.
If you sign in with Google, we never see a password. If you use email, the password is hashed with bcrypt before it ever reaches storage. Not even we can read it back. Every request to a protected route is re-verified on the server before anything loads, so a session is never trusted just because the browser says so.
04
മായ്ച്ചാൽ, മാറ്റമില്ല.
Drafts you delete are moved to a trash archive so you can recover them within the retention window. After that, they are removed from the active database. If you close your account, the associated drafts, usage records, and personal information are cleared on request. Not quietly kept for an unspecified future use.
Mechanism
The same commitments, written for readers who want to see the plumbing.
Drafts and account data live inside a managed relational database. Traffic between your browser and our servers is encrypted with TLS 1.3. Data stored on disk is encrypted with AES-256. Row-Level Security policies are attached to every product table, so a query for a draft that is not yours simply returns nothing. The isolation is enforced at the database layer, not in a middleware function we hope nobody forgot to call.
When you upgrade, the card entry form is hosted by our payment processor. Their iframe, not ours. We receive a token and, later, a signed webhook that reports the result. Every webhook is signature verified against the provider secret before we change your subscription state. A webhook that cannot be verified is rejected. We do not retry state changes from unverified input.
Anonymous grammar checks, the version available on the homepage without signing in, are rate-limited per device, filtered by request origin, and capped at a small daily quota. This exists to keep the tool free for normal use without letting it be drained by bots. Signed-in requests are metered per account.
GoMalayalam runs on managed cloud infrastructure chosen for reliability. Traffic is absorbed by a global edge layer before it reaches our origin, mitigating incidental volumetric attacks. Daily database backups are retained so that if something breaks at 3 AM, the previous day is recoverable.
If something is missing
If you have a specific question about how your draft, your payment, or your account is handled, write to us. Real replies. No security theatre.