Our Commitment
At Kaarta, security is foundational to everything we build. We handle sensitive financial data for businesses, and we take that responsibility seriously. Our platform is designed with security-first principles at every layer.
Multi-Tenant Data Isolation
Every piece of data in Kaarta is associated with a specific business. Our architecture enforces strict tenant isolation:
- All database tables include business identifiers
- API layer validates user access permissions before processing any request
- Users can only access businesses they have explicit membership in
Authentication & Access Control
Secure Authentication
- Passwords are hashed using bcrypt with appropriate cost factors
- Short-lived access tokens (15 minutes) minimize exposure window
- Long-lived refresh tokens (30 days) enable seamless re-authentication
- Refresh tokens are stored as secure hashes and can be revoked instantly
Role-Based Access
Business owners control who has access to their data. Each user is assigned a role that determines their permissions within the organization:
- Owner: Full access, including users, settings, billing, and all data
- Staff: Day-to-day access controlled by owner-granted permissions and admin powers
- CA: Compliance and reporting access for engaged businesses only
Data Encryption
Encryption in Transit
All data transmitted to and from Kaarta is encrypted using TLS 1.2+. We enforce HTTPS for all connections.
Encryption at Rest
All database storage is encrypted at rest using AES-256 encryption provided by AWS RDS. Backups are similarly encrypted.
Infrastructure Security
- Hosted on AWS enterprise-grade cloud infrastructure (Mumbai region)
- Database and cache services run in private subnets, not directly accessible from the internet
- Regular security patches and updates
- Automated backups with point-in-time recovery
- Structured logging and monitoring for security events
Responsible Disclosure
We value the security research community. If you discover a security vulnerability in Kaarta, please report it responsibly to security@kaarta.in. We commit to:
- Acknowledging receipt within 48 hours
- Providing regular updates on our investigation
- Not pursuing legal action against good-faith researchers
- Crediting researchers who help us improve (with permission)
Questions?
For security-related inquiries, contact us at security@kaarta.in.