Security & Trust

Your books deserve bank-grade protection.

Hosted in Mumbai & Hyderabad. Encrypted at rest and in transit. SOC 2 Type II and ISO 27001 certified. Built to RBI and DPDP Act standards.

SOC 2
Type II

SOC 2 Type II

Audited annually by Ernst & Young. Report available on request under NDA.

ISO
27001

ISO 27001:2022

ISMS certified by BSI. Covers data, infra, people and processes.

DPDP
Act

DPDP Act ready

India Digital Personal Data Protection Act compliant since enactment.

PCI
DSS

PCI DSS L1

Payment data tokenized. We never store your customers' card details.

Four pillars of trust.

No security theatre. The actual things we do, the actual technologies we use.

Encryption everywhere

Your data is meaningless to anyone who shouldn't see it.

  • AES-256 at rest, on every database, backup and snapshot
  • TLS 1.3 in transit, with HSTS and forward secrecy
  • Field-level encryption on PAN, GSTIN, bank account numbers
  • Per-tenant encryption keys rotated quarterly via AWS KMS

Access & identity

The right people, only — and you'll know if anything changes.

  • 2FA mandatory for all paid accounts (TOTP or SMS)
  • SSO via Google, Microsoft & SAML 2.0 on Scale plan
  • Role-based access control with custom permission sets
  • Immutable audit log — every action, every user, forever

Resilience & backups

Disaster recovery you can prove, not just promise.

  • Multi-AZ deployment across Mumbai and Hyderabad
  • Point-in-time recovery for 35 days, daily encrypted backups
  • RPO ≤ 5 minutes · RTO ≤ 60 minutes, tested quarterly
  • 99.95% uptime SLA on Scale, 99.5% on Business

Privacy & data residency

Your books stay in India. Your data is yours, full stop.

  • 100% data residency in India — Mumbai (ap-south-1) primary
  • Compliant with DPDP Act, GST data-protection norms
  • Export & delete on request — full takeout in Tally XML / CSV
  • We never train AI on your books, ever

Our sub-processors.

A short, deliberate list. Each one vetted, contracted with DPAs, and listed publicly.

VendorPurposeRegionData scope
AWS (ap-south-1)Primary infrastructure & storageMumbaiAll customer data
AWS (ap-south-2)Disaster recoveryHyderabadEncrypted backups
RazorpaySubscription billingBengaluruBilling email, invoice metadata
Meta WABAWhatsApp Business APIIndiaPhone numbers, message content
SendGridTransactional emailIndia edge, US originEmail address, subject line
ClearTax GSPGovernment GST filingBengaluruGSTIN, return data only at filing
Responsible disclosure

If you find a bug, we'll fix it fast.

Email security@mykharch.in with details. Our PGP key is on this page. We pay bounties up to ₹3,00,000 for critical issues.

Read full policy →
Hour 0

Acknowledgement

Auto-receipt within 5 minutes; human triage within 4 business hours.

Day 1–3

Triage & severity

CVSS scored. Reproduction confirmed. Status updates every 48 hours.

Day 7–30

Patch & deploy

Critical: ≤ 7 days. High: ≤ 14. Medium: ≤ 30. Low: next quarterly cycle.

Day 30+

Bounty & disclosure

Public CVE filed if applicable. Reporter credited. Bounty paid within 14 days.

Need our SOC 2 report or DPA?

We share both under NDA, usually within 24 hours. Indian financial-services firms have reviewed and approved us; yours can too.

Request documents Talk to security team