Do you encrypt data in transit and at rest?

Yes. All connections use HTTPS/TLS. Files are uploaded via short-lived, presigned URLs and stored encrypted at rest by our cloud provider.

How is client data isolated?

We scope access by tenant, then by client within a tenant. Roles and least-privilege defaults restrict who can see or act on data.

Do you maintain audit logs?

Yes. We track key actions (access, uploads, edits, exports) with timestamps and actor identity. Logs can be exported on request.

What if a device is lost or compromised?

Admins can immediately rotate access, sign out sessions, and require re-authentication. We also support short sessions and IP anomaly alerts.

Home → Security

Security & Trust

Isolation, encryption, governance and audit—built for Indian CA firms.

Overview Identity & Access Data Security Application Security Operations Security Policy

Isolation

Tenant→client scoped roles, least-privilege defaults, strong session controls, audit logging.

Data in motion & at rest

HTTPS/TLS for all endpoints. Presigned uploads. Provider-managed encryption at rest.

Operational readiness

Backups & DR, monitoring & alerting, vendor due diligence, change management.

Identity & Access Management

Role-based access

Tenant admin, staff, reviewer and client roles. Granular permissions for upload, review, export, and settings.

Least privilege

Conservative defaults; sensitive actions gated by explicit grants and session re-auth.

Session controls

Short session lifetimes, device sign-out, IP anomaly notifications and optional 2FA.

Data Security

Encryption

HTTPS/TLS for all traffic; presigned short-lived URLs for uploads; data encrypted at rest by cloud storage.

Data lifecycle

Configurable retention, verified deletion workflows, and access on a need-to-know basis with logs.

Customer control

Export on demand (CSV/Excel/JSON); role-scoped audit logs available to tenant admins.

Application Security

Secure SDLC

Peer review, dependency scanning and environment separation for dev/stage/prod.

Input validation

Validation at source for GSTIN/HSN/file types; rate limits and size caps for uploads.

Vulnerability handling

Regular patching cadence and coordinated disclosure at security@ca-copilot.com.

Operations

Monitoring & alerting

Centralized telemetry for uptime, errors and access anomalies with paging for critical events.

Backups & DR

Daily backups with periodic restore tests; DR runbooks and RTO/RPO targets per tier.

Third-party risk

Vendor assessment for critical subprocessors; contracts include security & confidentiality obligations.

Security Policy

This policy summarizes the technical and organizational measures we adopt to protect your data. It aligns with best practices for Indian CA firms handling GST and accounting data.

Access Control

Role-based access: tenant-admin, staff, reviewer and client roles
Principle of least privilege and session timeouts
Audit log exports available on request

Data Handling

Encryption in transit (HTTPS/TLS)
Presigned object storage uploads with limited lifetimes
Configurable retention and deletion workflows

Operational Security

Backups and disaster recovery runbooks
Monitoring, alerting and vulnerability patch cycles
Vendor assessments available for enterprise customers

Incident Response

24×7 on-call for critical issues
Customer notification on material incidents after triage
Post-incident reviews with mitigations tracked to closure

Shared Responsibility

We secure the platform; firms should enforce good identity hygiene (strong passwords/2FA), manage client user access, and review audit logs periodically.

Policy Version: 1.1 • Last Updated: 2025-11-01 • Contact: info@ca-copilot.com