Stack security policy cover image

Security Policy

Security policy

Privacy Practices

Keeping our customers’ data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at

We will never provide any part of your information to anyone unless consented by the user. Please refer to our privacy policy for more information

Infrastructure/Peripheral Security:

Stack’s infrastructure is based on Amazon Web Services (AWS). We have robust and scalable multi-level architecture using the most secure services of AWS. Our infrastructure strictly follows the AWS Well-Architected Framework, making stack most secure, high-performing, resilient, and efficient.

All of our servers are kept under Virtual Private Cloud (VPC) and environments are isolated using sub-netting. The servers are physically located in the AWS Asia Pacific Region (India).

We have a ‘Network and Application Firewall’ in place and have implemented industry best practices like OWASP guidelines to make it secure. We have also deployed the latest version of ModSecurity on Web Application Firewall, to mitigate new immersing attacks on public applications.

Distributed Denial-of-Service (DDoS) attacks are prevented using the multi-level defence firewalls.

Data Security:

All users' data is managed in the encrypted format at all times. This encryption on data is applied at both in-transit and in-rest.

The transmission of data is encrypted by a bank-grade TLS encryption algorithm, which helps in protecting users' data from Man-in-the-middle and eavesdropping attacks.

At the data storage level, we are conscious of data atomicity, data consistency, data integrity, and durability of the data. We have also enabled activity logging and auditing for swift intrusion detection into the system. We utilise data replication for data resiliency and disaster recovery as well as backup testing for data reliability.

Additionally, multi-level role-based access control is implemented to secure users' data. Internally, we limit the access of development server through bundling identity management and secured multi-tunnel private VPN channels.

Fore more information, please check the privacy policy.

Application Security:

We have implemented strict password policy and a mandatory Two-Factor Authentication (2FA) protocol for user login. Additionally, location-based security control is also incorporated to restrict unauthorised access to the application.

All data transfers back and forth needs to pass through our data validation layer to protect the application from the malicious code injections.

System Breach Detection and PEN-Testing:

Our internal team as well as external stakeholders support us in undertaking periodic security and vulnerability testing/ assessments, utilising standardised products for both manual and automated testing.

We have also engaged CERT-IN certified auditors for performing external testing and audits at regular intervals.

Standards and Compliance's:

We have implemented the laid out compliance requirements and standards by the National Payment Corporation of India (NPCI) for the Bharat Bill Payment System (BBPS). We are also compliant to the “Data Localisation” requirements as per the guidelines of the Reserve Bank of India (RBI).

Responsible Disclosure:

We are committed to keeping our users' data safe and secure. Keeping up with our users' trust, we have implemented the highest grade of security standards and perform vulnerability scans, conduct penetration tests, and apply security patches to our systems periodically.

Despite our best efforts, if you're a tech enthusiast or a researcher and identify any potential security vulnerability issue, we encourage you to report the same responsibly by writing to us at along with supporting screenshots/videos and detailed steps required to reproduce the vulnerability.

We shall put in our best efforts to address and fix the issue within a reasonable time frame, requesting you not to disclose it publicly in the meantime.

Note: While we appreciate your effort, if the vulnerability has been used for unlawful gains, we might take legal action against you.

We will send you a response as soon as possible—usually within 3 days. Our response will indicate how we will proceed with your case. We will keep you informed of our progress.

Your report will be treated confidentially. Your personal data is not usually shared with third parties, the exception to this being a legal obligation. When communicating about the vulnerability, we will mention your name as the discoverer (if we have your permission). If you adhere to these guidelines, we will not take any legal action on this report.