Security & Compliance
Last updated: 19 April 2026.
This page is our commitment to transparency. We disclose our security architecture, compliance status, and audit roadmap honestly — whether they are completed, in progress, or planned. If you have specific security questions before signing up, email [email protected].
Security architecture
| Control | Implementation | Status |
|---|---|---|
| Encryption at rest | AES-256-GCM (Cloudflare D1, R2 default) | Active |
| Encryption in transit | TLS 1.2+ on all endpoints | Active |
| Web Application Firewall | Cloudflare WAF with managed rulesets | Active |
| DDoS protection | Cloudflare network-layer protection | Active |
| HSTS & strict CSP | Enforced on all pages | Active |
| Multi-tenant isolation | Per-tenant Cloudflare D1 database | Active |
| Data residency by country | India / UAE / Singapore / EU / US regional D1 | Active |
| API credential vault | AES-GCM encrypted, rotated root keys | Active |
| Audit logging | Every data access logged immutably | In progress |
| Role-based access control | Per-tenant RBAC matrix | In progress |
| Multi-factor authentication | For admin and staff access | In progress |
| 72-hour breach notification | Monitoring + alert pipeline | In progress |
| Customer-managed keys (BYOK) | Customer uploads encryption key | Planned (Enterprise plan) |
| Zero-knowledge architecture | Field-level encryption with customer keys | Planned (Enterprise plan) |
Compliance status
| Framework | Status | Target date |
|---|---|---|
| DPDPA 2023 (India) | Compliant | Active |
| RBI Master Directions on IT (NBFC sector relevant) | Aligned | Active |
| GDPR (EU/UK) | Aligned | Active for EU/UK tenants |
| UAE PDPL | Aligned | Active for UAE tenants |
| Singapore PDPA | Aligned | Active for Singapore tenants |
| VAPT (Vulnerability & Penetration Test) | Planned | Within 6 months of go-live |
| SOC 2 Type I | Planned | Within 12 months |
| SOC 2 Type II | Planned | Within 18 months |
| ISO 27001:2022 | Planned | Within 18–24 months |
| PCI-DSS | N/A | We don't store card data — gateways are PCI-certified |
Underlying infrastructure certifications
While we work toward our own certifications, our infrastructure provider Cloudflare maintains the following independent certifications that benefit our platform:
- SOC 2 Type II (annual)
- ISO 27001:2013 / ISO 27018
- PCI-DSS Level 1
- FedRAMP (US Government)
- Full list: cloudflare.com/trust-hub
Sub-processor certifications
| Sub-processor | Function | Their certifications |
|---|---|---|
| Cloudflare | Cloud infrastructure | SOC 2 II, ISO 27001, PCI-DSS L1 |
| Razorpay | Payment gateway | PCI-DSS L1, ISO 27001, RBI-licensed PA |
| Cashfree | Payment gateway (backup) | PCI-DSS L1, ISO 27001, RBI-licensed PA |
| Surepass | KYC verification | UIDAI-certified OVSE, ISO 27001 |
| Setu | Account Aggregator (TSP) | Sahamati-certified, partnered with RBI-licensed AAs |
| WhiteBooks | GST e-Invoice + filing | GSTN-licensed GSP |
| AWS | Email delivery (SES) | SOC 1/2/3, ISO 27001, FedRAMP, etc. |
| Meta | WhatsApp Business API | SOC 2, ISO 27001 |
Customer-controlled security features
- Country selection at signup: Choose your data residency region (locked after onboarding to enforce sovereignty).
- Per-tenant database isolation: Your data is in a dedicated Cloudflare D1 database, not shared with other tenants.
- Granular RBAC: Define roles (Admin / Finance / Operations / Read-only) and assign per user.
- Audit log access: Download your tenant's audit logs anytime from the dashboard.
- Data export: Export all your data in CSV/JSON anytime, no questions asked.
- Right to delete: Request complete account and data deletion via [email protected].
- Account Aggregator consent control: Revoke bank data consent anytime; data deleted within 30 days.
- BYOK (Enterprise): Bring your own encryption key — even MyOwnERP cannot decrypt your data without it.
Reporting security issues
If you discover a security vulnerability:
- Email: [email protected]
- We aim to acknowledge within 24 hours and provide a remediation timeline within 5 business days.
- We do not currently run a paid bug bounty program but will recognize responsible disclosure publicly (with your consent).
- Please do NOT publish vulnerabilities before we have had a reasonable chance to remediate (90 days standard).
Requesting our security documents
The following documents are available under NDA for prospective customers:
- Latest VAPT report (when available)
- Sub-processor list with data flow diagrams
- Encryption architecture document
- Disaster recovery and business continuity plan
- Incident response procedure
- Data Processing Agreement (DPA) template
Email [email protected] with your NDA or sign ours.
Honest disclosure
We are an early-stage SaaS platform. We do not yet have SOC 2 or ISO 27001 certifications — and we will not pretend otherwise. Our certification roadmap above is realistic, not aspirational. If your organization requires immediate certified-platform assurance before adoption, we recommend a phased approach:
- Start with non-sensitive use cases (invoicing, reminders, basic ERP).
- Use manual upload for bank statements until our SOC 2 is in place.
- Migrate to fully automated reconciliation once certifications are achieved.
We respect your security requirements and would rather lose a deal than over-promise on certifications we don't yet hold.
Contact
Security: [email protected]
Privacy/data requests: [email protected]
Data Protection Officer: [email protected]
General: [email protected]