Security

How we protect your data

Our Commitment

At Kaarta, security is foundational to everything we build. We handle sensitive financial data for businesses, and we take that responsibility seriously. Our platform is designed with security-first principles at every layer.

Multi-Tenant Data Isolation

Every piece of data in Kaarta is associated with a specific business. Our architecture enforces strict tenant isolation:

  • All database tables include business identifiers
  • API layer validates user access permissions before processing any request
  • Users can only access businesses they have explicit membership in

Authentication & Access Control

Secure Authentication

  • Passwords are hashed using bcrypt with appropriate cost factors
  • Short-lived access tokens (15 minutes) minimize exposure window
  • Long-lived refresh tokens (30 days) enable seamless re-authentication
  • Refresh tokens are stored as secure hashes and can be revoked instantly

Role-Based Access

Business owners control who has access to their data. Each user is assigned a role that determines their permissions within the organization:

  • Owner: Full access - can manage users, settings, and all data
  • Accountant: View and export access
  • Viewer: Read-only access

Data Encryption

Encryption in Transit

All data transmitted to and from Kaarta is encrypted using TLS 1.2+. We enforce HTTPS for all connections.

Encryption at Rest

All database storage is encrypted at rest using AES-256 encryption provided by AWS RDS. Backups are similarly encrypted.

Infrastructure Security

  • Hosted on AWS enterprise-grade cloud infrastructure (Mumbai region)
  • Database and cache services run in private subnets, not directly accessible from the internet
  • Regular security patches and updates
  • Automated backups with point-in-time recovery
  • Structured logging and monitoring for security events

Responsible Disclosure

We value the security research community. If you discover a security vulnerability in Kaarta, please report it responsibly to security@kaarta.in. We commit to:

  • Acknowledging receipt within 48 hours
  • Providing regular updates on our investigation
  • Not pursuing legal action against good-faith researchers
  • Crediting researchers who help us improve (with permission)

Questions?

For security-related inquiries, contact us at security@kaarta.in.