Security Trust Center
Bank-grade security for your NBFC operations. 52 OWASP findings remediated. AES-256 encryption throughout. Database-per-tenant isolation. DPDPA 2023 compliant.
April 2026 Security Audit — All Clear
Independent OWASP audit conducted April 14–16, 2026. Every finding remediated and verified.
13
OWASP Critical Findings
✅ All Remediated
17
OWASP High Findings
✅ All Remediated
16
OWASP Medium/Low Findings
✅ All Remediated
6
Data Protection Findings
✅ All Remediated
11
Regulatory Gap Findings
✅ All Remediated
44
Business Logic Gaps
✅ All Remediated
3
Penetration Test Runs
✅ Clean (April 2026)
1,380
Automated Tests Passing
✅ 0 Failing
Database-Per-Tenant Architecture
Every NBFC gets a completely separate, dedicated database. Not a shared schema with row-level filters — a fully isolated database. Your data never shares infrastructure with another NBFC.
Complete Isolation
An SQL query on your database physically cannot read data from another NBFC's database. Zero shared tables.
Regulatory Separation
Each NBFC entity is legally a separate company. Their data being in separate databases reflects this legal reality and satisfies RBI data governance requirements.
Verified by Tests
Integration test suite includes explicit assertion: “Tenant A cannot read Tenant B's records.” Verified on every deployment.
Encryption at Rest
Military-grade AES-256 field-level encryption with unique per-record cryptographic keys. Every sensitive field encrypted before reaching the database.
All critical data points are guarded with industry standard encryption systems.
OWASP Top 10 Coverage
All 10 OWASP categories addressed. 46 findings from the April 2026 audit — all remediated.
- ✓Role-based access control prevents unauthorized access to customer and financial data
- ✓Complete tenant isolation ensures one organisation's data can never be accessed by another
- ✓Multi-factor authentication and account lockout policies protect against credential-based attacks
- ✓End-to-end encryption of sensitive fields safeguards data even in the event of an infrastructure breach
- ✓All API endpoints enforce server-side input validation to block injection and manipulation attempts
- ✓Secure session management with short-lived tokens limits exposure from token theft
- ✓Principle of least privilege applied across all user roles, service accounts, and integrations
- ✓Consent-driven data processing ensures full compliance with data protection regulations
- ✓Immutable, tamper-evident audit logs record every data access and administrative action
- ✓Disbursement idempotency and concurrency controls prevent duplicate payouts and race conditions
- ✓Automated security regression tests run on every deployment to catch regressions early
- ✓Breach response procedures with defined notification timelines to regulators and affected parties
DPDPA 2023 — Data Subject Rights
India's Digital Personal Data Protection Act 2023 is fully implemented — consent management, erasure, portability, and breach notification.
Right to Consent
9 named purposes — explicit opt-in required before any data processing begins
Purpose Limitation
Bureau data pulls blocked unless active, purpose-specific consent is on record
Right to Access
Structured export of all personal data provided to customers on request
Right to Erasure
Erasure requests follow a tracked workflow with 30-day SLA — verified end-to-end
Right to Portability
Dedicated data portability API — all customer data available in structured format
Consent Withdrawal
Withdrawing consent immediately stops all associated data processing
Breach Notification
Documented breach response SOP with 6-hour initial notification to RBI and CERT-In
Data Minimization
Full Aadhaar never persisted; bureau data minimized; OCR text discarded after processing
Ready to See the Full Security Report?
Enterprise customers can request the complete OWASP audit report, penetration test results, and DPDPA compliance documentation under NDA.