Security & compliance

Security and compliance by design.

A wealth platform holds the financial lives of every client it touches. Our security posture is not an afterthought — it is the foundation.

Posture at a glance

Built for the scrutiny it will face.

Residency
Data in India
All client data is stored and processed within Indian jurisdiction. Primary region Mumbai, DR in Hyderabad.
Encryption
AES-256 · TLS 1.3
Encryption at rest via AES-256. Encryption in transit via TLS 1.3. Keys rotated on a scheduled cadence.
Access
Role-based · MFA
Granular role and entitlement model. Mandatory MFA for platform administrators. Session auditing on every action.
Backups
Point-in-time recovery
Hourly snapshots. 35-day retention. Tested quarterly disaster recovery with documented RTO/RPO.
Monitoring
24 × 7 SOC
Security operations monitoring with anomaly detection, intrusion detection, and incident response playbooks.
Audit
Full trail, immutable
Every user action logged with before/after state. Logs are append-only and retained per regulatory requirement.
Certifications & alignment

Verified where it counts.

SEBI / AMFI
Regulatory alignment for MFD, RIA, and distributor workflows. AMFI data-sharing specification compliance.
Aligned
DPDP Act 2023
Data Protection & Digital Privacy framework. Consent management, data subject rights, breach notification.
Compliant
ISO / IEC 27001
Information Security Management System. Audit planned Q4 2026 with an accredited certification body.
Roadmap · Q4 2026
SOC 2 Type II
Security, availability, and confidentiality trust principles. Observation window opens H1 2026.
Roadmap · 2026
VAPT
Annual third-party vulnerability assessment and penetration testing. Report available under NDA.
Annual
Principles

The rules we wrote first.

  • 01
    Least privilege, always.
    Every user, every process, every service gets the minimum access it needs — and nothing more. Access is reviewed quarterly. Departures are de-provisioned within the hour.
  • 02
    Your data is yours.
    We do not sell it. We do not train models on it. We do not use it for any purpose other than delivering the Finvica service to you. On exit, your full dataset is exported and our copies are deleted.
  • 03
    Separation of duties.
    No single Finvica employee can unilaterally access production client data. Sensitive actions require multi-party approval and are logged to an immutable audit trail.
  • 04
    Transparent incidents.
    If something goes wrong, you hear from us — fast, factually, and in plain language. A public status page tracks availability in real time.
  • 05
    Defense in depth.
    Network, application, data, and identity layers each enforce independent controls. A compromise at one layer does not cascade to the others.
Due diligence

Need the long-form pack?

Our security documentation pack — architecture, controls matrix, VAPT summary, DPA template — is available to prospective customers under a mutual NDA.

Request the pack