Your books deserve enterprise-grade security
AskBooks holds your most sensitive financial data — invoices, payroll, GST returns, bank reconciliations. We protect it with the same controls that banks and listed enterprises rely on, audited and certified independently.
How we protect your data
Defence in depth, audited continuously
Six independent layers of control — from physical infrastructure to in-app permissions.
Encryption at rest
AES-256 encryption on all customer data, databases, backups, and object storage. Keys are managed via AWS KMS with automatic rotation every 90 days.
Encryption in transit
TLS 1.3 for every connection between your browser, our APIs, and our database. HSTS preloaded. Weak ciphers explicitly disabled.
Key management
Customer-managed encryption keys (CMEK) available on Enterprise. Master keys stored in AWS KMS HSMs. Application keys never touch disk.
MFA-only staff access
Every AskBooks employee uses hardware-backed MFA. Production access is JIT-approved, time-bound, and recorded session-by-session.
Audited access logs
Every read and write to customer data is logged with actor, IP, and timestamp. Logs are immutable and retained for 365 days.
Network isolation
Customer workloads run in private VPCs with no public ingress to data tier. WAF, IDS, and DDoS mitigation are always on.
Data residency
Hosted in India, only in India
Indian businesses need Indian data sovereignty. AskBooks runs entirely in AWS Mumbai with multi-AZ redundancy, daily encrypted backups, and tested disaster recovery.
- AWS Mumbai (ap-south-1) — primary and standby in two availability zones
- No data leaves Indian territory at any point in its lifecycle
- Daily encrypted backups retained for 35 days
- Point-in-time recovery to any second within the last 7 days
- Disaster-recovery RPO ≤ 5 minutes, RTO ≤ 1 hour
- Quarterly DR drills with restoration testing
Authentication
Modern identity, no shortcuts
Authentication is the front door to every accounting system. We use the same primitives as banks: asymmetric tokens, hardened password storage, and revocable sessions.
- RS256 asymmetric JWT (private key never leaves the auth service)
- TOTP-based multi-factor authentication (RFC 6238)
- Argon2id password hashing with per-user salts
- Brute-force lockout after 5 failed attempts with exponential backoff
- Session tokens with JTI revocation — instant logout across devices
- Password breach checks against the HIBP corpus on every change
Compliance & certifications
Independently verified, not self-attested
We do not ask you to take our word for it. Every certification below is auditable.
ISO 27001
In progressInformation security management system. Audit scheduled; gap assessment complete.
SOC 2
In progressType I window opens after our first 6 months of operating evidence; Type II to follow.
DPDPA 2023
CompliantAligned with the Digital Personal Data Protection Act. Indian data principal rights honoured.
GST integration
Built-inDirect GSTN integration for return filing, e-Invoice IRN and e-Way Bill generation.
Subprocessors
The full list of who we share data with
These are the only third parties that may process customer data. Each has a signed DPA.
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Amazon Web Services | Hosting, compute, storage, KMS | Mumbai (ap-south-1) | Signed |
| Razorpay | Payment processing for subscriptions | India | Signed |
| Twilio | SMS and WhatsApp delivery (optional) | India routed | Signed |
| AWS SES | Transactional email delivery | Mumbai (ap-south-1) | Signed |
We provide 30 days' notice before adding or replacing any subprocessor on Enterprise plans.
Responsible disclosure
Bug bounty program
Found a vulnerability? We reward responsible disclosure with bounties up to ₹2,00,000 for critical findings. Our safe-harbour policy protects researchers acting in good faith.
- Acknowledgement within 24 hours
- Public hall of fame on resolution
- CVE assignment for valid reports
Incident response
Transparent and documented
When something goes wrong, you hear it from us first. Our incident response team is on call 24×7 with documented runbooks for every severity tier.
- 24-hour customer notification SLA
- Public postmortem within 7 days for SEV-1
- Live status page with component-level health
Doing diligence on AskBooks?
Procurement and security teams can request our security architecture overview, gap-assessment, penetration-test summary, and DPA under NDA. Our trust team responds within one business day.
Security FAQ
Common questions from security teams
Where is my data stored and who can access it?
All customer data lives in AWS Mumbai (ap-south-1) and never leaves Indian territory. Only a small, audited engineering team has just-in-time production access — every action is logged and retained for 365 days.
What happens if I lose access to my account?
Account recovery is a multi-step verified process. We confirm identity through your registered email, phone, and (for paid plans) a video verification with our trust team. Recovery typically completes within 4 business hours.
Can I get a copy of your audit reports?
Our ISO 27001 and SOC 2 audits are in progress. In the meantime, we share our gap-assessment, penetration-test summary, and architecture overview under NDA. Email security@askbooks.in and we will route you to the trust team within one business day.
Do you run penetration tests?
Quarterly internal pen tests and an annual external test by a CERT-In empanelled vendor. Critical and high findings are triaged within 24 hours and remediated within 30 days under a documented SLA.
How do you handle a security incident?
We follow a documented IR runbook: detect, contain, eradicate, recover, learn. Affected customers are notified within 24 hours of confirmation. We publish a public postmortem within 7 days for any SEV-1 incident.
Do you support SSO and SCIM?
SSO via SAML 2.0 and OIDC is available on the Enterprise plan, along with SCIM 2.0 for automated provisioning. Custom RBAC and IP allowlists can be configured per tenant.
Talk to our security team
Whether you need audit reports, a custom DPA, or a vendor questionnaire filled in — we are happy to help.
security@askbooks.in · Response within one business day