Security at RupIt

Finance companies run on trust. We build and operate RupIt so you can extend that trust to us \u2014 with controls that are transparent, auditable, and designed for Indian regulatory expectations.

Infrastructure

  • Hosted on ISO 27001 certified cloud data centres in India
  • Private networks, hardened VMs, and least-privilege IAM roles
  • Daily encrypted backups with point-in-time recovery
  • DDoS protection and WAF at the edge

Application

  • TLS 1.2+ in transit and AES-256 encryption at rest
  • JWT authentication with short-lived tokens and refresh rotation
  • Role-based access control down to the branch and module level
  • Strict per-tenant data isolation on every query

Operations

  • Change management with code review and automated CI checks
  • Centralised audit logs for authentication and sensitive actions
  • Quarterly access reviews and mandatory MFA for RupIt staff
  • Incident response runbook with 24-hour customer notification SLA

Privacy & compliance

  • Data residency in India for all customer tenants
  • Sub-processors reviewed annually and listed on request
  • Aligned with the Digital Personal Data Protection Act, 2023
  • Vendor security questionnaires answered within 5 business days

How we practice security day to day

Secure SDLC

Every change goes through peer review, dependency scanning, and automated tests before it reaches production. Secrets are managed in a vault, never in source control.

Vulnerability management

We run continuous dependency and container scans, patch critical CVEs within 7 days, and engage independent penetration testers annually.

Data lifecycle

Customer data is encrypted, tenant-scoped, and deletable on request. Backups follow the same retention and destruction rules as production data.

Business continuity

Multi-AZ deployment, automated failover, and documented recovery objectives (RPO 1h, RTO 4h) keep the Platform available when it matters.

Reporting a vulnerability

If you believe you have found a security issue in RupIt, please email hello@propgic.com with details and reproduction steps. We acknowledge reports within 2 business days and keep you informed while we investigate. We do not take legal action against researchers who follow responsible disclosure.

Request a security review