Security

All data exchanged between your browser, our APIs, and integrated services is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject insecure connections.

Data stored in our databases, object storage and backups is encrypted at rest using strong, industry-standard algorithms. The most sensitive identifiers receive additional field-level protection, and passwords are stored only as salted cryptographic hashes — never in plain text.

We enforce role-based and attribute-based access control so users and staff can access only what their role permits. Authentication supports multi-factor verification, and sensitive financial actions require step-up verification. Internal administrative access follows least-privilege principles and is restricted and monitored.

Every record is scoped to its organisation and isolation is enforced at both the application and database layers, including row-level security policies and per-request authorisation checks, so no organisation can ever read or modify another organisation’s data. Tenant isolation is continuously regression-tested.

Sensitive and financial actions are recorded in an append-only, tamper-evident audit log, enabling traceability of who did what and when. Audit records support investigation, compliance and customer transparency.

We maintain encrypted, regularly scheduled backups with defined retention and tested restoration procedures to protect against data loss, with the ability to recover to a recent point in time.

We maintain an incident-response process to detect, triage, contain, remediate and learn from security events, and to notify affected customers and authorities where required by law. To report a security concern, email privacy@vertofi.com or info@vertofi.com.

The platform runs on reputable cloud infrastructure with data residency in India, network segmentation, restricted ingress through a hardened API gateway, rate limiting, secrets management, and continuous monitoring. Production access is limited, authenticated and logged.

We integrate only with reputable providers — including the WhatsApp Business Platform (Meta), payment processors, GST Suvidha Providers, and RBI-licensed Account Aggregators — and share only the data necessary for each function under contractual confidentiality and security obligations. Bank connections are consent-based and revocable.

Vertofi is engineered toward SOC 2 and ISO 27001 control objectives and operates in line with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023. We continuously improve our controls as we scale. See our Privacy Policy for how we handle personal data.