Hosted in Mumbai & Hyderabad. Encrypted at rest and in transit. SOC 2 Type II and ISO 27001 certified. Built to RBI and DPDP Act standards.
Audited annually by Ernst & Young. Report available on request under NDA.
ISMS certified by BSI. Covers data, infra, people and processes.
India Digital Personal Data Protection Act compliant since enactment.
Payment data tokenized. We never store your customers' card details.
No security theatre. The actual things we do, the actual technologies we use.
Your data is meaningless to anyone who shouldn't see it.
The right people, only — and you'll know if anything changes.
Disaster recovery you can prove, not just promise.
Your books stay in India. Your data is yours, full stop.
A short, deliberate list. Each one vetted, contracted with DPAs, and listed publicly.
| Vendor | Purpose | Region | Data scope |
|---|---|---|---|
| AWS (ap-south-1) | Primary infrastructure & storage | Mumbai | All customer data |
| AWS (ap-south-2) | Disaster recovery | Hyderabad | Encrypted backups |
| Razorpay | Subscription billing | Bengaluru | Billing email, invoice metadata |
| Meta WABA | WhatsApp Business API | India | Phone numbers, message content |
| SendGrid | Transactional email | India edge, US origin | Email address, subject line |
| ClearTax GSP | Government GST filing | Bengaluru | GSTIN, return data only at filing |
Email security@mykharch.in with details. Our PGP key is on this page. We pay bounties up to ₹3,00,000 for critical issues.
Read full policy →Auto-receipt within 5 minutes; human triage within 4 business hours.
CVSS scored. Reproduction confirmed. Status updates every 48 hours.
Critical: ≤ 7 days. High: ≤ 14. Medium: ≤ 30. Low: next quarterly cycle.
Public CVE filed if applicable. Reporter credited. Bounty paid within 14 days.
We share both under NDA, usually within 24 hours. Indian financial-services firms have reviewed and approved us; yours can too.