Stack security policy cover image
back-button

Security Policy

Privacy Practices

We shall never sell or rent users’ information or data to anyone. We never use or transfer your data for serving ads, including retargeting, personalised, or interest-based advertising.

We will never provide any part of your information to anyone unless consented by the user. Please refer to our privacy policy for more information

Infrastructure/Peripheral Security:

Stack’s infrastructure is based on Amazon Web Services (AWS). We have robust and scalable multi-level architecture using the most secure services of AWS. Our infrastructure strictly follows the AWS Well-Architected Framework, making stack most secure, high-performing, resilient, and efficient.

All of our servers are kept under Virtual Private Cloud (VPC) and environments are isolated using sub-netting. The servers are physically located in the AWS Asia Pacific Region (India).

We have a ‘Network and Application Firewall’ in place and have implemented industry best practices like OWASP guidelines to make it secure. We have also deployed the latest version of ModSecurity on Web Application Firewall, to mitigate new immersing attacks on public applications.

Distributed Denial-of-Service (DDoS) attacks are prevented using the multi-level defence firewalls.

Data Security:

All users' data is managed in the encrypted format at all times. This encryption on data is applied at both in-transit and in-rest.

The transmission of data is encrypted by a bank-grade TLS encryption algorithm, which helps in protecting users' data from Man-in-the-middle and eavesdropping attacks.

At the data storage level, we are conscious of data atomicity, data consistency, data integrity, and durability of the data. We have also enabled activity logging and auditing for swift intrusion detection into the system. We utilise data replication for data resiliency and disaster recovery as well as backup testing for data reliability.

Additionally, multi-level role-based access control is implemented to secure users' data. Internally, we limit the access of development server through bundling identity management and secured multi-tunnel private VPN channels.

Fore more information, please check the privacy policy.

Application Security:

We have implemented strict password policy and a mandatory Two-Factor Authentication (2FA) protocol for user login. Additionally, location-based security control is also incorporated to restrict unauthorised access to the application.

All data transfers back and forth needs to pass through our data validation layer to protect the application from the malicious code injections.

System Breach Detection and PEN-Testing:

Our internal team as well as external stakeholders support us in undertaking periodic security and vulnerability testing/ assessments, utilising standardised products for both manual and automated testing.

We have also engaged CERT-IN certified auditors for performing external testing and audits at regular intervals.

Standards and Compliance's:

We have implemented the laid out compliance requirements and standards by the National Payment Corporation of India (NPCI) for the Bharat Bill Payment System (BBPS). We are also compliant to the “Data Localisation” requirements as per the guidelines of the Reserve Bank of India (RBI).

Responsible Disclosure:

We are committed to keeping our users' data safe and secure. Keeping up with our users' trust, we have implemented the highest grade of security standards and perform vulnerability scans, conduct penetration tests, and apply security patches to our systems periodically.

Despite our best efforts, if you're a tech enthusiast or a researcher and identify any potential security vulnerability issue, we encourage you to report the same responsibly by writing to us at security@stackfinance.co along with supporting screenshots/videos and detailed steps required to reproduce the vulnerability.

We shall put in our best efforts to address and fix the issue within a reasonable time frame, requesting you not to disclose it publicly in the meantime.

Note: While we appreciate your effort, if the vulnerability has been used for unlawful gains, we might take legal action against you.