Data Security

Last updated: March 2026

Your financial data is the most sensitive information your business has. We treat it with the highest level of care. Here is exactly how we protect it.

Infrastructure

  • Hosted on AWS Mumbai Region (ap-south-1) — data stays in India
  • SSL/TLS encryption on all connections (HTTPS enforced)
  • UFW firewall — only ports 22, 80, 443 accessible
  • HSTS headers with 1-year max-age
  • Nginx reverse proxy with security headers

Encryption

  • All data encrypted in transit (TLS 1.2+)
  • Passwords hashed with bcrypt (12 rounds) — never stored in plain text
  • JWT tokens with short expiry for session management
  • API keys and secrets stored in environment variables, not in code

Access Controls

  • 4-tier role hierarchy: Admin → CFO → Manager → Accountant
  • Managers and Accountants see only their assigned companies
  • Client portal users restricted to their own company data
  • SSH key-only server access (no password authentication)
  • All API endpoints authenticated and role-checked

Backups & Recovery

  • Automated daily database backups at 2:00 AM IST
  • 7-day backup retention with point-in-time recovery
  • Backups stored separately from application server
  • Recovery tested periodically

Audit & Monitoring

  • Complete audit trail on every data action (create, update, delete, approve, post)
  • Audit logs include timestamp, user, IP address, and action details
  • Audit logs are immutable — cannot be modified or deleted
  • Server access logs maintained

Personnel Security

  • All Rizu team members sign NDAs before accessing client systems
  • Background verification for all accounting personnel
  • Minimal access principle — staff access only assigned client data
  • Immediate access revocation on team member departure
  • Regular security awareness training

Incident Response

  • Dedicated incident response procedure
  • Client notification within 24 hours of confirmed data breach
  • Root cause analysis and remediation report provided
  • Affected data identified and clients informed of impact
  • Post-incident security review and process improvement

Data Residency

  • All data stored exclusively in India (AWS Mumbai)
  • No data transferred outside Indian borders
  • Indian law governs all data processing
  • Compliant with IT Act 2000 and IT Rules 2011
  • Ready for Digital Personal Data Protection Act 2023 compliance

Client Data Ownership

  • You own 100% of your data — Rizu claims no ownership
  • Full data export available anytime (CSV, Excel, PDF, Tally-compatible)
  • Data provided within 7 business days of termination request
  • Statutory data retained for 8 years per Indian law, then permanently deleted
  • Non-statutory data deleted within 90 days of termination

Third-Party Services

  • Razorpay (payments) — PCI DSS Level 1 certified, processes billing only
  • Resend (email) — processes email addresses only, no financial data
  • GSTN / TRACES (government) — statutory data shared only for filing
  • Zoho Books (optional sync) — OAuth2 authorised, read-only access, revocable anytime
  • Tally Connector — runs locally on your machine, data transmitted over HTTPS only
  • No third party has access to your complete financial records
  • All third parties are Indian or have Indian data processing capabilities

Questions about security?

Contact us at hello@rizu.digital with subject "Security Query". We respond within 24 hours.