Content authored by practitioners with experience at Amazon India, Intuit QuickBooks, and the Tata Group. Meet the team →
The security checklist for reconciliation software India is a non-negotiable step in vendor evaluation — not because reconciliation platforms are inherently insecure, but because the data they process is uniquely sensitive. Bank statements, TDS certificates, GSTR-2B exports, and payment gateway settlement reports are, in combination, a complete picture of an organisation’s financial activity. A CISO, IT Head, or CFO evaluating a reconciliation vendor must verify ten specific security dimensions before onboarding. This article covers each checkpoint, why it matters in the Indian regulatory context, and what evidence to demand from the vendor.
What Reconciliation Software Security Involves
Reconciliation software for Indian businesses sits at the intersection of three data categories that carry independent regulatory obligations: financial data under the Companies Act and Income Tax Act, tax data under the GST regime and TDS provisions, and increasingly, personal data under the DPDP Act 2023.
A platform that handles all three categories simultaneously is not just an accounting tool — it is a data processor for some of the most sensitive transaction records an enterprise generates. The security controls required must match that classification, and for Indian enterprises specifically, they must also satisfy the IT governance requirements of sector regulators: RBI Master Directions for financial entities, SEBI’s cloud framework for market participants, and IRDAI’s cybersecurity guidelines for insurers.
Generic SaaS security checklists miss the India-specific angle. This checklist addresses both.
Why Security Evaluation Is Harder Than It Looks
The Scope Problem in Certifications
Security certifications like ISO 27001 are meaningful only if the scope covers the right environment. A vendor can hold a valid ISO 27001 certificate for its corporate head office while the reconciliation application runs on an infrastructure environment that is outside the certification scope. The certificate is real; the coverage is not.
This scope gap is the most common security verification failure in enterprise software procurement. Always request the certification document and read the scope statement — it should explicitly name the reconciliation application and the hosting environment.
The Audit Trail Gap
The audit trail requirement for reconciliation software is stricter than for most enterprise applications, because reconciliation records are evidence in income tax assessments, GST audits, and statutory company audits. An audit trail that cannot be queried by date range, user, or transaction reference does not satisfy the evidentiary standard. Audit trail adequacy is a security question as much as a compliance question — it determines whether the record is tamper-evident and independently verifiable.
The Data Residency Blind Spot
Organisations on generic platforms find that financial data residency requirements are not always addressed in standard SaaS contracts. A vendor headquartered in India may host data on servers outside India, triggering cross-border data transfer obligations under the DPDP Act 2023 and creating compliance gaps for RBI-regulated entities. This must be verified at the infrastructure level, not accepted on the vendor’s word.
The 10-Point Security Checklist
Checkpoint 1 — ISO 27001:2022 Certification
Verify that the vendor holds current ISO 27001:2022 certification (not the superseded 2013 version) and that the certification scope explicitly covers the reconciliation application and its hosting infrastructure. Request the certificate and the scope statement. The scope statement is the document that matters — the certificate without the scope statement is insufficient.
Checkpoint 2 — Data Residency
Confirm that your financial data will be stored and processed on servers physically located in India. For RBI-regulated entities, this is a hard requirement under the RBI Master Direction on IT Governance. For all Indian enterprises, India-hosted data avoids the cross-border transfer complexity of the DPDP Act 2023. Request the vendor’s infrastructure architecture diagram and confirm the hosting region in the data processing agreement.
Checkpoint 3 — Encryption at Rest and in Transit
Verify AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. These are minimum standards, not differentiators. A vendor who cannot confirm both is not qualified for financial data processing. Also verify key management practices — who holds the encryption keys, and are customer data encryption keys logically separated from other customers’ keys.
Checkpoint 4 — Role-Based Access Controls
The reconciliation platform should enforce role-based access at a granular level: who can view matched transactions, who can initiate a manual override, who can export data, and who can change matching rules or configuration. For enterprises with segregation of duties requirements, the platform must support roles that prevent the same user from both matching transactions and approving exceptions. Request a demonstration of the permission model before signing.
Checkpoint 5 — Audit Trail Coverage
The audit trail must cover every match decision, every manual override, every data export, and every configuration change — with the user identity and timestamp for each action. The trail must be queryable by an external auditor without requiring vendor assistance. This is the evidentiary standard for income tax proceedings and statutory audit. Ask the vendor specifically: can a statutory auditor query the audit trail directly, and what format is the output?
Checkpoint 6 — Multi-Factor Authentication
All user access to the reconciliation platform — including administrative access — must require multi-factor authentication. Single-factor access for any role is a security gap. Also verify whether MFA is enforced at the application layer or whether it relies on the customer’s identity provider. Both are acceptable; neither is acceptable if it can be bypassed for specific roles.
Checkpoint 7 — Data Retention and Purge Policy
The retention policy must align with Indian statutory record-keeping requirements: 8 years under the Companies Act for books of account, 7 years under the Income Tax Act for assessment records, and 5 years under GST for return-related records. The vendor’s default retention period and the process for requesting data purge after the retention period expires must be documented in the contract. Also verify whether backup data is purged on the same schedule as production data.
Checkpoint 8 — API Security
If the platform integrates with your ERP, banking systems, or GST portal via API, verify OAuth 2.0 authentication for API access, rate limiting to prevent bulk data extraction, token expiry and rotation policies, and logging of all API calls with the consuming system identity. API access is a significant data exfiltration vector — a platform with strong application security but weak API controls has a meaningful gap.
Checkpoint 9 — Penetration Testing Cadence and Disclosure
Request the date, scope, and findings summary of the vendor’s most recent penetration test. Enterprise-grade practice is annual independent penetration testing by a CERT-In empanelled auditor, with critical and high findings remediated before the next customer deployment. A vendor who cannot provide penetration test evidence under NDA, or who has unresolved critical findings, is not suitable for financial data processing. Also ask about the vendor’s responsible disclosure policy for security vulnerabilities.
Checkpoint 10 — Incident Response SLA
The data processing agreement must specify the vendor’s obligations in the event of a security incident: notification timeline (DPDP Act requires notification to the Data Protection Board within 72 hours of a breach), the information included in the initial notification, and the escalation path. For TDS reconciliation platform India deployments, a breach affecting TDS certificate data triggers obligations under both the DPDP Act and the Income Tax Act. Verify these SLAs before contract execution.
Security Certification Comparison
| Requirement | What to Verify | Why It Matters for Reconciliation Data |
|---|---|---|
| ISO 27001:2022 | Certification scope covers reconciliation application and hosting infrastructure; 2022 version (not 2013) | Confirms audited ISMS covering the environment that processes bank statements, TDS certificates, and GST exports |
| SOC 2 Type II | If vendor holds SOC 2, verify Type II (operational, not just design) and that the audit period is current (within 12 months) | Confirms controls have been tested over time, not just documented at a point in time |
| RBI cloud compliance | For RBI-regulated customers: confirm vendor’s cloud hosting meets RBI Master Direction on IT Governance and Cyber Security for data localisation and IT outsourcing | Direct regulatory requirement for banks, NBFCs, and payment system participants using third-party financial software |
| DPDP Act 2023 readiness | Confirm data processing agreement includes data fiduciary/processor obligations, India-only residency commitment, and breach notification SLA of 72 hours | All Indian enterprises processing personal financial data are subject to DPDP Act; vendor must be a compliant data processor |
| Penetration test frequency | Annual minimum; CERT-In empanelled auditor; most recent test within 12 months; critical findings remediated | Financial data platforms are high-value targets; untested security postures are unacceptable for enterprise onboarding |
The India-Specific Regulatory Angle
Three India-specific frameworks create obligations that generic security checklists miss entirely.
RBI Master Direction on IT Governance applies to banks, NBFCs, payment aggregators, and payment system participants. For these entities, using a third-party reconciliation platform that does not meet the IT outsourcing and data localisation requirements of the Master Direction creates a regulatory compliance gap. The vendor must be able to confirm their architecture satisfies the Master Direction’s requirements for critical IT systems, and the enterprise must document this as part of its IT risk management framework.
SEBI cloud framework requirements apply to registered market intermediaries. SEBI’s circular on cloud adoption requires that data used for market surveillance, compliance reporting, and audit purposes be hosted in India and accessible on demand to SEBI. A reconciliation platform used by a broker, mutual fund, or depository participant must satisfy these requirements — a vendor cannot simply claim general cloud compliance; they must map to the specific SEBI framework.
DPDP Act 2023 created obligations for all Indian enterprises processing personal data. Bank statements contain account holder names and account numbers. TDS certificates contain PAN details and deductee names. GSTR-2B exports contain supplier PAN and GSTIN details. All of these qualify as personal data under the DPDP Act. The enterprise deploying reconciliation software is the data fiduciary; the vendor is a data processor. The vendor must operate under a lawful data processing agreement that documents purpose limitation, security safeguards, and cross-border transfer restrictions.
What TransactIG’s Security Architecture Covers
TransactIG holds ISO 27001:2022 certification with scope covering the reconciliation application and its hosting infrastructure on AWS Mumbai. AWS Mumbai satisfies the India data residency requirement for RBI-regulated entities and DPDP Act compliance. Every match decision, manual override, and data export is logged with user identity and timestamp — the audit trail is queryable and tamper-evident.
The platform’s role-based access controls support segregation of duties configurations required by enterprise governance frameworks. API access operates on OAuth 2.0 with token expiry and call logging. Data retention policies align with Companies Act and Income Tax Act record-keeping requirements.
For CISOs and IT Heads running a formal vendor security evaluation, the security checklist above maps directly to TransactIG’s architecture. Each of the ten checkpoints has documented evidence available for review during the discovery and configuration scoping process — a process that begins with a demo conversation where your specific security and compliance requirements are mapped before any configuration begins.