Security
Epifi Technologies Private Limited (epiFi or Company) is a fintech company providing financial solutions and services. We believe that our customers (You) should remain convinced their data is in safe hands. This page speaks about our security practices and how we maximise the safety of your data.
We aim for the highest standards of safety, security and confidentiality when using your data. This policy also describes how we securely collect and preserve your information.
TL;DR: We have deployed state-of-the-art infrastructure audited by industry experts to ensure maximum security of your data. But here are the details for each section -
Cloud Infrastructure ☁️
We host our website on Amazon Web Services (AWS), which provides a secure and scalable technology platform.
Our infrastructure is launched in compliance with AWS' Well-Architected Framework and incorporates best practices from the AWS Cloud Adoption Framework from the security perspective.
All communication between the Platform and our servers stay protected via 2048bit encrypted HTTPS protocol. Anyone or anything, including a supercomputer that attempts to pry, may take years to get the decryption combination using a trial-error method.
We use HTTPS protocol for our website and mobile applications (referred to as "Platform"). It lets us securely transmit sensitive data over the internet.
To improve cybersecurity, we also have strict network segmentation and isolation of environments and services in place. Translation: During untoward scenarios, we can limit the impact within tiny Sections while the overall system remains unaffected.
Host Security 🔒
We use industry-leading solutions around anti-virus, anti-malware, intrusion prevention systems, and intrusion detection systems. We also apply the same standards for file integrity monitoring, application control, application and audit log aggregation, and automated patching.
All our servers are secured and hardened as per the Center for Internet Security (CIS) Benchmarks.
Data Security 💾
The user log-in is based on two-factor authentication on the Fi website and mobile application. All user data and internally stored data is encrypted at rest and in transit. Sensitive data is encrypted at the application level in addition to Transport Layer Security (TLS).
We employ separation of environments, network segregation, segregation of duties, and strict role-based access control on a documented, authorised & need-to-use basis.
We use key management services to limit access to information, except for the data team.
We only use anonymised and aggregated data for internal analytics and business intelligence purposes.
We use data replication for data resiliency and disaster recovery; snapshotting for data durability, and backup/restore testing for data reliability.
Incident and Change Management 🔄
We have deployed mature processes around change management, enabling us to release thoroughly tested features for you both reliably and securely.
We have a very aggressive stance on Incident Management on both Systems downtime and Security and Network Operations Center. We have an Information Security Management System that quickly reacts, remediates or escalates any incidents arising out of planned or unplanned changes.
Vulnerability Assessment and Penetration Testing ✍️
We have an in-house network security team which uses industry-leading products to conduct manual and automated Vulnerability Assessment and Penetration Testing activities
We employ both static application security testing and dynamic application security testing. Both get incorporated into our continuous integration / continuous deployment pipeline
We will bring in auditors certified by Computer Emergency Response Team (CERT-IN) to do periodic external testing and audits.
Responsible Disclosure ✔️
All of us at Epifi (Epifi Technologies Private Limited) are committed to our user's data and privacy.
We blend security at multiple steps within our products with state-of-the-art technology to ensure our systems maintain strong security measures.
The overall data and privacy security design allow us to defend our systems from various attacks.
You could submit a bug report to us at security@fi.money with detailed steps required to reproduce the vulnerability.
We shall put the best of our efforts to investigate and fix the legitimate issues in a reasonable time frame – while requesting you not to disclose it publicly.
Please refer to our Privacy Policy for more information.