FinzBooks
Sign inStart free trial
Home / Security

Built for the books a CA
has to defend.

We host in Mumbai, encrypt everything, and audit every edit. Below is the full picture of how FinzBooks treats your financial data — without the marketing fluff.

Download our security whitepaper Request DPA / SOC 2 letter
CERTIFICATIONS & POSTURE

Compliance, where it matters in India.

SOC 2
Type II · Ready
ISO 27001
In progress · Q3 2026
DPDP Act 2023
India · Compliant
AWS
Mumbai · ap-south-1
PCI-DSS
Via Razorpay
CERT-In
Empanelled pentest
HOW WE PROTECT YOUR DATA

Six things every CA asks. Six honest answers.

Encryption at rest and in transit

Every byte you store is encrypted on disk. Every request between your browser and our servers is encrypted in flight.

  • AES-256 at rest on RDS Postgres and S3
  • TLS 1.3 in transit, HSTS preloaded
  • AWS KMS for envelope encryption of customer-managed keys
  • Quarterly cryptographic posture review

Indian data residency, by default

Your books, your bills, your backups — all stay in ap-south-1 (AWS Mumbai). Nothing crosses an Indian border without your explicit export.

  • RDS primary + multi-AZ replica, both Mumbai
  • S3 buckets configured with explicit region locks
  • Backups encrypted, 90-day retention, in-region
  • No cross-region replication, no failover outside India

Tenant isolation

Each customer's data lives in its own logical tenant. There's no shared row-level table where a misfiring query could leak you into someone else's GSTR.

  • Row-level security with tenant_id filters at every query
  • Per-tenant S3 prefixes with bucket policy isolation
  • Connection pooling with mandatory tenant guard at the driver layer
  • Quarterly penetration test of the multi-tenancy boundary

Access control & audit trail

Role-based permissions, granular scopes, and a full audit log of every read and write. Your CA can prove who did what, when, and why.

  • Role-based access — Owner / Admin / Bookkeeper / CA Reviewer / Read-only
  • SSO/SAML on Growth+ (Google Workspace, Microsoft, Okta)
  • Audit log on every journal, with source-document hash
  • Lockable periods — no edits without an admin unlock

AI without giving your data away

Our extraction model runs inside our VPC on Mumbai-region GPUs. No vendor LLM, no training on your data, no cross-tenant learning.

  • No OpenAI, no Anthropic, no Gemini at the document layer
  • Vision + extraction model self-hosted on AWS
  • Per-tenant corrections never affect another customer's model
  • Opt-out of any model improvement entirely (Growth+)

Operational maturity

The boring stuff that catches problems before you do. Monitoring, alerting, on-call, change management.

  • 24/7 paging on revenue-impacting incidents
  • Public status page · 99.9% uptime SLA on Growth+
  • Quarterly DR drills with documented RTO/RPO
  • Annual third-party penetration test (CERT-In empanelled)
RESPONSIBLE DISCLOSURE

Found a vulnerability? We'd like to know.

We run a private bug bounty programme. We respond to verified reports within 48 hours, ship a fix within the timeline that matches severity, and pay bounties up to ₹2,00,000 for critical issues. Hall of Fame published quarterly.

Email security@finzbooks.com PGP key
/ SLA targets
CriticalFix in 24 hours
HighFix in 7 days
MediumFix in 30 days
LowNext release
READY WHEN YOU ARE

Stop running your books on a Saturday.

14-day free trial, no credit card. Migration from Tally or Zoho is on us.

Start your free trial Book a demo