ISO 27001:2022 certified information security

Board-approved security policy reviewed annually.

CISO role and data owner responsibilities formally assigned.

Production access segregated from development and support functions.

Security responsibilities included in all employment contracts.

Defined escalation path to CERT-In and relevant law enforcement.

Active membership in Indian cyber-security information sharing forums.

Threat feeds monitored; intelligence integrated into risk assessment cycle.

Security checkpoints embedded in product release pipeline.

Asset register maintained with data classification labels.

Acceptable use policy covers all devices, accounts, and data stores.

Offboarding checklist enforces return and revocation of all assets.

Four-tier classification: Public, Internal, Confidential, Restricted.

Document and data labelling applied consistently across repositories.

Encryption required for all data transferred outside the production boundary.

Role-based access control enforced; quarterly access reviews conducted.

Centralised identity provider; MFA mandatory for all privileged accounts.

Password policy enforced via identity provider; no shared credentials permitted.

Principle of least privilege applied; access rights reviewed on role change.

Supplier risk assessment conducted before onboarding; contracts include security clauses.

Data processing agreements in place with all sub-processors.

Software component provenance tracked; open-source licence review performed.

Annual review of all cloud and SaaS suppliers against contracted SLAs.

AWS shared responsibility model documented; cloud configuration baselines enforced.

Incident response plan tested via annual tabletop exercise.

Triage criteria defined; severity classification consistent with CERT-In guidelines.

Runbooks maintained for common incident types including data exposure and account compromise.

Post-incident reviews conducted within 5 business days; findings tracked to closure.

Evidence collection procedures aligned with Indian IT Act requirements.

Business continuity plan covers data access and processing during outage scenarios.

RTO and RPO targets defined per service tier; tested annually via failover drill.

Compliance register covers IT Act 2000, DPDP Act, GST, TDS, and sectoral regulations.

Software licence tracking in place; patent applications filed for proprietary algorithms.

Retention schedule defined; audit logs retained for 7 years per regulatory minimum.

Privacy impact assessments conducted for all features processing personal financial data.

Annual third-party audit conducted by accredited certification body.

Internal audit programme covers all controls; findings tracked in risk register.

Standard operating procedures maintained for all critical security functions.

Background verification conducted for all employees and contractors handling client data.

Information security obligations explicit in every employment agreement.

Annual security awareness training mandatory; phishing simulation run quarterly.

Formal disciplinary process covers security policy violations.

Confidentiality obligations survive employment; NDA in place for all data-handling roles.

NDAs executed with all third parties before access to client or system information.

Remote working policy defines device, network, and data handling standards.

All personnel required to report suspected security events within 1 hour of detection.

Office premises secured with access card and visitor log.

Server and network infrastructure located in SOC 2 Type II certified data centre.

Sensitive discussions and document handling confined to designated secure areas.

CCTV and access logs reviewed periodically; alerts configured for after-hours access.

Data centre meets Tier III standards for power, cooling, and environmental controls.

Clear-desk and clear-screen policy enforced across all office locations.

Policy enforced; screen lock required after 5 minutes of inactivity.

Production hardware located exclusively in the managed data centre (AWS Mumbai). No physical servers at office locations.

Endpoint encryption mandatory on all devices used outside the office perimeter.

Removable media prohibited in production environments; portable drives encrypted.

UPS and generator redundancy at data centre; monitoring alerts on power events.

Network cabling within data centre meets structured cabling standards.

Hardware maintenance schedule maintained; only authorised personnel permitted.

Cryptographic wipe performed before any storage media is decommissioned or reassigned.

MDM policy enforces encryption, screen lock, and remote wipe on all managed devices.

Privileged accounts reviewed monthly; just-in-time access for production systems.

Data access scoped to role and client; no cross-tenant data access possible.

Source code repository access restricted; changes require peer review and approval.

MFA enforced on all external-facing systems and cloud management consoles.

Infrastructure capacity monitored; scaling policies prevent resource exhaustion.

Endpoint protection deployed on all managed devices; signatures updated daily.

Vulnerability scans run fortnightly; critical findings remediated within 72 hours.

Infrastructure-as-code enforced; configuration drift detection alerts operational.

Data deletion procedures verified for client offboarding and retention schedule expiry.

Production data masked before use in development or testing environments; no live financial data in non-production systems.

DLP controls monitor outbound data movement; rules cover reconciliation output files and bank statement data.

Daily encrypted backups; restoration tested quarterly against defined RTO.

Multi-AZ deployment on AWS; no single point of failure in production path.

All authentication events, data access, and API calls logged with tamper-evident storage.

SIEM aggregates logs; anomaly detection alerts reviewed by on-call team within 15 minutes.

All systems synchronised to NTP; log timestamps consistent across environments.

Use of system utilities restricted; activity logged and reviewed.

Change management process required for all production software changes.

Network segmentation separates production, staging, and corporate environments.

TLS 1.2+ enforced on all network services; deprecated protocols disabled.

VPC architecture with private subnets for data processing; no direct internet access to database tier.

Outbound web filtering applied to corporate network; DNS-based blocking for malicious domains.

AES-256 for data at rest; TLS 1.2+ for data in transit; key management via AWS KMS.

Security requirements defined at design stage; OWASP Top 10 addressed in development standards.

Security acceptance criteria included in every feature specification.

Defence-in-depth architecture; principle of least privilege applied at every layer.

Secure coding standards enforced; SAST tooling integrated into CI/CD pipeline; no deployment without security scan pass.

DAST and penetration testing conducted before every major release.

Third-party development engagements subject to the same secure coding and review standards.

Strict environment separation; production credentials not accessible from development or test.

All production changes follow documented change control; emergency changes logged within 24 hours.

Production data prohibited in test environments without masking (see A.8.11).

Audit testing performed in isolated environment; no impact on production operations.

Data isolation

Client data is processed in isolated tenant contexts. No cross-client data access is architecturally possible. Production environments are separated from development and test environments — and production data is never used in non-production systems without masking (A.8.11).

Encryption in transit and at rest

All reconciliation data is encrypted at rest using AES-256 via AWS KMS (A.8.24). All data in transit — including API calls, file uploads, and bank statement imports — uses TLS 1.2 or higher. Deprecated protocols are disabled at the infrastructure level (A.8.21).

Audit trails

Every match decision, exception classification, and manual override is logged with user identity and timestamp (A.8.15). Logs are stored in tamper-evident storage. Audit queries on reconciliation results can be resolved in under 4 hours from log data alone.

Access control

Role-based access control limits each user to the data sets and functions required for their role (A.5.15, A.8.3). Privileged access to production systems requires just-in-time approval and is reviewed monthly (A.8.2).

Vulnerability management

Infrastructure is scanned fortnightly. Critical findings — CVSS score 9.0+ — are remediated within 72 hours (A.8.8). SAST tooling runs on every code commit; no deployment proceeds without a clean security scan (A.8.28).

Business continuity

TransactIG runs on multi-AZ AWS infrastructure with no single point of failure (A.8.14). RTO and RPO targets are defined per service tier and tested annually via failover drill (A.5.30). Backups are encrypted and restoration is tested quarterly (A.8.13).