TransactIQ · Security

Regulator-defensible by architecture

TransactIQ processes personal and financial data for regulated entities. Security is not a feature bolt-on — it is the operating envelope inside which every other product choice is made. This page sets out certifications, controls, and the regulator-engagement posture a lender can rely on.

Certifications and frameworks

ISO 27001:2022

Information security management system certified against the 2022 revision of the ISO standard. Terra Insight's controls cover organisational, people, physical, and technological domains — audited annually by an accredited registrar.

Make in India · Startup India

Terra Insight Pvt. Ltd. is an Indian-domiciled software product company recognised under both programmes. Development, operations, and management are all within India.

DPDP Act 2023 aligned

The Digital Personal Data Protection Act's consent, purpose-limitation, data-retention, and fiduciary-duty requirements shape every product surface. Personal-data processing inside TransactIQ runs under documented purposes consented by the data principal.

RBI IT Governance aligned

RBI Master Directions on Outsourcing of IT Services and IT Governance shape TransactIQ's operating model — data localisation, vendor due-diligence, exit management, and incident reporting are built into how the service is delivered to regulated entities.

Operating controls

The controls are designed to withstand customer due-diligence, third-party audit, and regulator review — not just a marketing checkbox.

Data residency

Every TransactIQ deployment tier keeps customer data inside the India data plane. Self-hosted tenants run in the lender's own VPC; managed and private tenants run on AWS Mumbai. No statement or extracted signal ever leaves the country.

Encryption

Data at rest is encrypted with managed keys on the underlying storage layer. Data in transit uses TLS 1.2+ for every integration surface — ingest, API, webhook delivery, and administrative access.

Tenant isolation

Managed-tier tenants are logically isolated at the data layer; private-tier tenants receive a dedicated single-tenant data plane. Cross-tenant data access is not possible in either shape by design.

Access control

Administrative access is role-based, MFA-enforced, and auditable per operator action. Break-glass pathways are documented, logged, and time-bounded. No standing production shell access is granted to Terra Insight personnel.

Audit trail

Every processed statement carries a tamper-evident audit record — when it arrived, which pipeline version processed it, what signals were produced, and which principal requested the result. Supports SAR filings and regulator-directed reviews without out-of-band retrieval.

Vulnerability management

Continuous dependency scanning, container image scanning, and periodic third-party penetration testing. Findings are triaged within documented SLAs. Remediation evidence is retained for audit.

Regulator-engagement posture

What a lender can expect when the regulator, auditor, or data principal comes asking.

Regulator-directed reviews

If the RBI or a banking regulator directs a review of lender underwriting practices that includes the bank statement analysis vendor, TransactIQ cooperates through the lender's formal regulator engagement — audit trail production, process documentation, control evidence. The lender is the regulated entity; TransactIQ supports their response.

DPDP data-principal rights

Erasure and access requests from data principals are routed through the lender as data fiduciary. TransactIQ's operating model supports the timely execution of these requests without interrupting live underwriting.

Incident reporting

TransactIQ's incident-response playbook includes direct-to-customer notification paths with materiality thresholds documented in the MSA. Relevant RBI cybersecurity incident reporting timelines are met without needing customer-side coordination.

Exit and data portability

At contract end, a lender receives a documented extraction of their data and configurations. The exit pathway is contractually defined, not ad-hoc. This addresses the RBI guidance on concentration risk and escape velocity.

More about TransactIQ

Architecture → OCR engine → Bank coverage → Analytics → API posture → Deployment →

Need the full due-diligence pack?

The vendor due-diligence questionnaire response, certification evidence, and RBI outsourcing governance documentation are available to evaluating lenders under NDA.

Request due-diligence pack