Security Policy

Privacy Practices

At Stack Wealth, security is not just a technical requirement but a fundamental pillar of our business philosophy. We understand that our clients entrust us with their most sensitive financial and personal information, and we take this responsibility with the utmost seriousness. Our comprehensive security framework is designed to protect client data, ensure platform integrity, and maintain the highest standards of cybersecurity across our dual business model.

Our security approach is built on the principle of defense in depth, implementing multiple layers of protection that work together to create a robust security ecosystem. This multi-layered approach ensures that even if one security control fails, multiple other controls remain in place to protect our clients' information and maintain service availability.

We recognize that security is an ongoing journey, not a destination. As cyber threats evolve and new vulnerabilities emerge, we continuously adapt and enhance our security measures to stay ahead of potential risks. Our security team works around the clock to monitor, detect, and respond to any security incidents, ensuring that our platform remains secure and trustworthy.

Keeping our customers’ data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at security@stackwealth.in

We will never provide any part of your information to anyone unless consented by the user. Please refer to our privacy policy for more information

Infrastructure/Peripheral Security:

Amazon Web Services (AWS) Security Foundation: Our platform is built on Amazon Web Services (AWS), leveraging their world-class security infrastructure and compliance certifications. AWS provides the foundation for our security architecture with features including:

Network Security: AWS provides network-level security through Virtual Private Clouds (VPCs), security groups, network access control lists (NACLs), and AWS Shield for DDoS protection. Our network architecture is designed with multiple security zones and strict traffic filtering.

Infrastructure Security: AWS maintains the security of the underlying infrastructure, including servers, storage systems, and networking equipment. This shared responsibility model allows us to focus on application-level security while relying on AWS for infrastructure protection.

Data Security:

Encryption at Rest: All sensitive data stored in our systems is encrypted using industry-standard encryption algorithms:

Database Encryption: Client data stored in our databases is encrypted using AES-256 encryption with proper key management. Database encryption keys are managed separately from the data and are regularly rotated.

File System Encryption: All file systems containing sensitive data are encrypted using full-disk encryption. This ensures that data remains protected even if physical storage media is compromised.

Backup Encryption: All backup data is encrypted both during transmission and storage. Backup encryption keys are managed independently and stored in secure key management systems.

Encryption in Transit: All data transmitted between clients and our platform, as well as between our systems and third-party partners, is encrypted using strong encryption protocols:

TLS/SSL Encryption: All web traffic is encrypted using TLS 1.3 or higher, ensuring that data transmitted between clients and our platform cannot be intercepted or tampered with.

API Security: All API communications with partner systems use encrypted channels with mutual authentication and message integrity verification.

Internal Communications: Communications between internal systems are encrypted using secure protocols and authenticated using digital certificates.

Application Security:

Secure Development Lifecycle (SDLC): We implement a comprehensive secure development lifecycle that integrates security considerations into every phase of application development:

Security by Design: Security requirements are identified and incorporated during the design phase, ensuring that security controls are built into the application architecture rather than added as an afterthought.

Secure Coding Practices: Our development team follows secure coding standards and guidelines, including input validation, output encoding, proper error handling, and secure session management. Regular code reviews and static analysis tools help identify and remediate security vulnerabilities.

Security Testing: We conduct comprehensive security testing, including static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST). Penetration testing is performed regularly by independent security firms.

Vulnerability Management: We maintain a robust vulnerability management program that includes regular vulnerability scanning, risk assessment, and timely patching of identified vulnerabilities. Critical vulnerabilities are addressed immediately, while lower-risk issues are remediated according to established timelines.

System Breach Detection and Pen-Testing:

Our internal team, as well as external stakeholders, support us in undertaking periodic security and vulnerability testing/ assessments, utilising standardised products for both manual and automated testing.
 

We have also engaged CERT-IN certified auditors to perform external testing and audits at regular intervals.

Standards and Compliance:

Our security policies and procedures are designed to comply with multiple regulatory frameworks that govern financial services in India:

SEBI Cybersecurity Guidelines: We adhere to the Securities and Exchange Board of India's cybersecurity and cyber resilience framework for market infrastructure institutions and intermediaries. This includes implementing robust cybersecurity policies, conducting regular security assessments, and maintaining incident response capabilities.

RBI Information Security Guidelines: As a financial services provider, we comply with the Reserve Bank of India's guidelines on information security, electronic banking, technology risk management, and outsourcing of financial services. These guidelines ensure that our technology infrastructure meets the highest standards of security and reliability.

Digital Personal Data Protection Act, 2023: Our security measures are designed to protect personal data in accordance with India's comprehensive data protection legislation, ensuring that client information is processed lawfully, fairly, and transparently.

Responsible Disclosure:

We are committed to keeping our users' data safe and secure. Keeping up with our users' trust, we have implemented the highest grade of security standards and perform vulnerability scans, conduct penetration tests, and apply security patches to our systems periodically.
 

Despite our best efforts, if you're a tech enthusiast or a researcher and identify any potential security vulnerability issue, we encourage you to report the same responsibly by writing to us at security@stackfinance.co along with supporting screenshots/videos and detailed steps required to reproduce the vulnerability.
 

We shall put in our best efforts to address and fix the issue within a reasonable time frame, requesting you not to disclose it publicly in the meantime.
 

Note: While we appreciate your effort, if the vulnerability has been used for unlawful gains, we might take legal action against you.
 

We will send you a response as soon as possible—usually within 3 days. Our response will indicate how we will proceed with your case. We will keep you informed of our progress.
 

Your report will be treated confidentially. Your personal data is not usually shared with third parties, the exception to this being a legal obligation. When communicating about the vulnerability, we will mention your name as the discoverer (if we have your permission). If you adhere to these guidelines, we will not take any legal action on this report.