Security & trust · Private beta
The books you trust us with stay yours.
TatvaBooks is currently in private beta. This page is an honest snapshot of where our security posture stands today, what's in progress, and what we won't claim until it's true. Nothing here is marketing — it's a working document.
Our principles
Four things we don't compromise on.
Your data lives in India.
TatvaBooks runs on AWS Mumbai (ap-south-1). No data ever leaves Indian soil, and we're aligned with the DPDP Act 2023 by design, not as an opt-in. Hot-standby in a second Indian region is on the roadmap for public launch.
Encryption at rest and in transit.
AES-256 encryption for data at rest. TLS 1.3 for data in transit. Encryption keys managed in AWS KMS. Document attachments are stored encrypted and decrypted only on access.
Auditable to the last entry.
Every transaction, edit, login and permission change is logged with timestamp, user and IP. Logs are immutable and retained per Indian law (GST: 6 years; Companies Act: 8 years). You can export logs anytime.
Least privilege, by default.
Engineers do not have standing access to customer books. Production access is gated, requires multi-factor authentication, and every session is logged. We are explicit: we don't read your data unless you ask us to (e.g., a support ticket).
Certifications
Certifications — where we actually stand.
GSTN GSP registration · in progress
We are pursuing GSTN GSP authorisation with the GSTN. Target: pre-public-launch.
ISO/IEC 27001 · audit planned (2027)
We have begun internal preparation for ISO 27001 certification. We will not claim the certification until it is granted in writing by an accredited body.
SOC 2 Type I · target Q2 FY 2027-28
Trust Service Criteria scope being finalised. We will share the report under NDA when issued. Until then, we do not claim it.
DPDP Act 2023 · aligned by design
Indian data residency, consent-based collection, a privacy contact for DPDP requests, and a breach-notification process. The Act's compliance regime is still being framed; we will keep this section updated.
Operations
The boring stuff that matters.
Daily encrypted backups
Backups encrypted with AES-256, stored in a separate AWS Mumbai bucket. Point-in-time recovery for the last 7 days during beta; will extend to 35 days at public launch.
Uptime — measured, not promised
We don't yet offer a contractual uptime SLA during private beta. Once public launch lands, the target is 99.9% on paid plans, with a public status page.
Penetration testing roadmap
Pre-launch external penetration test scheduled before public availability. We'll publish a summary of findings and remediations on this page.
Responsible disclosure
Found a vulnerability? Email support@tatvabooks.com with 'security' in the subject. We aim to acknowledge within 24 hours and triage within 3 working days.
Indian compliance
Built for the laws your CA cares about.
TatvaBooks is built for the Indian regulatory regime from the ground up. We don't bolt on compliance — it's in the data model.
- DPDP Act 2023 — Indian data protection compliance
- GST law — record retention for 6 years
- Companies Act 2013 — books of account preservation
- Income Tax Act — TDS and audit-trail rules (Rule 11U/11UA)
- RBI cyber-security framework — for NBFCs that need it
- IRDAI guidelines — for insurance brokers that need it
Reach the security team
Report a vulnerability or request our security pack.
Security team
support@tatvabooks.comPrivacy / DPO
support@tatvabooks.comSOC 2 Type I and ISO 27001 audits are not yet complete — we won't claim them until certificates are issued in writing. Prospects on private beta can request our current security questionnaire and architecture summary under NDA by emailing support@tatvabooks.com.
See our privacy policy
Curious how the data flows? It's in the docs.
Our Privacy Policy and DPA spell out exactly what we collect, why, and what your rights are.