This policy describes the security programme TraCarta India Private Limited operates to protect the platform, the data processed within it, and the people who rely on it. It is designed to support the reasonable safeguards expected of a Data Fiduciary and Data Processor under the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025.
This policy describes the controls we apply to the TraCarta platform, the supporting cloud infrastructure, our corporate systems, and the data we process within each of these environments. It applies to all TraCarta employees, contractors, and third parties who have access to our systems or data.
This policy is a summary. It is written to help customers, auditors, and partners understand how we think about security at a programme level. Specific controls, tools, and procedural detail are documented in our internal policies, which are available under confidentiality to prospective customers on request.
Security at TraCarta is owned by a dedicated security function, accountable to the leadership team. Ownership of specific areas — such as infrastructure, application security, data protection, and incident response — is assigned to named individuals who are responsible for defining controls, verifying implementation, and reporting on effectiveness.
Our information security programme is governed by a set of internal policies covering acceptable use, access management, cryptography, change management, incident response, vendor risk, and personnel security. Policies are reviewed at least annually, or whenever a material change in the business or the threat landscape warrants it.
We maintain a risk register that captures information security risks, their likelihood and impact, the controls in place, and any residual exposure. The register is reviewed regularly by our security and leadership teams, and informs where we invest in additional controls.
Our approach to data protection is layered. No single control is sufficient on its own.
All traffic between customer devices, the TraCarta platform, and our supporting services is encrypted in transit using industry-standard transport encryption. Connections use up-to-date cipher suites, and older protocols are disabled.
Customer data stored within the platform — including databases, object storage, and backups — is encrypted at rest using strong, industry-standard algorithms. Encryption keys are managed through a dedicated key-management service with strict access controls, rotation, and audit logging.
Customer data is logically separated and scoped to each customer's tenant. Platform components apply per-tenant access controls so that one customer's data cannot be read, modified, or enumerated by another.
We maintain regular, encrypted backups of critical data, stored in geographically separate locations within the approved processing region. Backup integrity is tested on a defined cadence, and we run restoration exercises to validate that recovery objectives can be met in practice. Confirm with counsel
The TraCarta platform runs on infrastructure provided by established cloud service providers that themselves operate under internationally recognised certifications. We use the security primitives these providers offer, and layer our own controls on top.
Production, staging, and corporate environments are isolated from each other. Access between environments is limited to defined, authenticated paths. Public exposure is limited to the endpoints necessary to serve the platform and our websites.
Internet-facing endpoints are protected by web application firewalls and rate-limiting to defend against common attack patterns. Denial-of-service protection is provided through our cloud service provider's standard offering. Confirm with counsel
Employee endpoints that access production or sensitive systems are enrolled in a central device management solution. They must meet a minimum baseline — including disk encryption, screen lock, current operating system patches, and endpoint protection — before they are permitted to connect.
Access to systems that process customer data follows the principle of least privilege. Each person receives the minimum access needed for their role, and access is reviewed on a defined cadence.
Access to the platform and to our internal systems requires strong authentication. Multi-factor authentication is mandatory for administrative access, for access to production systems, and for access to systems holding customer or personal data.
Roles within the platform are defined to align with common finance-organisation structures. Our customers can map their own users to roles that reflect their internal separation of duties. Administrative actions within the platform are logged and attributable to a named individual.
Access is provisioned when a role starts and is updated when a role changes. Access is revoked promptly on termination. Access reviews are conducted at a defined frequency, with remediation tracked through to closure.
Our engineers follow a secure development lifecycle. Code is developed in version-controlled repositories, subject to peer review, and protected by automated static analysis and dependency scanning. We maintain secure coding guidelines aligned with industry standards.
Changes to production are released through an automated pipeline that enforces review, testing, and approval before deployment. Emergency changes follow an expedited process that still requires attribution, review, and post-release verification.
We monitor for vulnerabilities in our code, our dependencies, and our infrastructure. Identified vulnerabilities are triaged against defined severity criteria and remediated within service-level targets that scale with severity.
We engage qualified, independent third parties to perform penetration tests of the platform on a periodic basis, and after significant architectural changes. Findings are tracked to remediation. Summary reports are made available under confidentiality to prospective customers on request. Confirm with counsel
We centralise logs from the platform, supporting infrastructure, and key corporate systems into a monitoring and detection capability. Logs are retained for a defined period sufficient to support investigation, compliance, and customer reporting needs. Confirm with counsel
Detections cover common threat patterns — including unusual authentication behaviour, suspicious administrative activity, and known indicators of compromise. Alerts are routed to responders who are on-call twenty-four hours a day, seven days a week, with defined escalation paths.
We maintain a documented incident response plan that defines roles, classification criteria, communication responsibilities, and post-incident review steps. The plan is exercised at least annually.
In the event of a personal data breach, we will notify affected customers and the Data Protection Board of India in accordance with the timelines and form prescribed under the DPDP Rules. For customer-facing operational incidents, we maintain status-communication channels and will provide updates at a cadence appropriate to the severity of the incident. Confirm with counsel
After every significant incident, we conduct a structured post-incident review focused on timeline, root cause, and durable improvements. Findings feed back into our controls, our monitoring, and our runbooks.
The platform is architected for resilience. Critical components are deployed across multiple availability zones within the approved processing region to tolerate the loss of a single zone without service interruption.
We maintain a business continuity and disaster recovery plan that defines our recovery point and recovery time objectives for critical services. These objectives are tested periodically to verify that the plan is effective in practice. Confirm with counsel
We apply risk-based due diligence to third-party vendors and sub-processors who handle our data or operate within our infrastructure. Due diligence considers the sensitivity of data involved, the security posture of the vendor, and the contractual protections in place.
All material sub-processors are bound by written agreements that require them to apply security controls at least equivalent to those in this policy, and to notify us of incidents affecting our data. A current list of sub-processors is maintained by our legal and security teams and is available on request under confidentiality.
Personnel with access to customer data or production systems are subject to background verification as permitted by Applicable Law, before access is granted.
All personnel and contractors are bound by confidentiality obligations that survive the end of their engagement.
All personnel complete security and data-protection training on joining and at least annually thereafter. Role-specific training — for example, for engineers, for finance-domain specialists, and for customer-facing staff — supplements the baseline where warranted.
We operate our security programme in alignment with recognised industry frameworks and are pursuing third-party certification in line with customer expectations in our segment. Confirm with counsel
Summary audit reports, security questionnaires, and executive summaries of penetration tests are made available to prospective and existing customers on request, under confidentiality. Contact legal@tracarta.in to request documentation.
We welcome reports of potential security issues from researchers, customers, and the wider community. If you believe you have found a vulnerability in TraCarta's platform, websites, or infrastructure, please let us know.
Report issues to legal@tracarta.in with the subject line Security Report. Include enough detail for us to reproduce and assess the issue. We will acknowledge receipt, investigate in good faith, and keep you informed of our progress. We ask that you give us a reasonable opportunity to investigate and remediate before disclosing an issue publicly.
We do not currently operate a paid bug bounty programme, but we are grateful for responsible disclosure and will recognise reporters where they would like to be recognised. Confirm with counsel
For questions about our security programme or to request documentation, please contact us:
For security-related questions, vulnerability disclosures, and due-diligence documentation requests.