Sign Up

Data Protection & Security

Last Updated: January 6, 2026

1. Our Commitment to Data Protection

At Rupiya, protecting your financial data is our highest priority. We implement military-grade security measures that exceed industry standards to ensure your information remains confidential, secure, and protected from unauthorized access.

🔐 Zero-Knowledge Architecture

We have designed our system so that we cannot access your sensitive financial data even if we wanted to. Your data is encrypted with keys that only you possess, ensuring complete privacy.

2. End-to-End Encryption

2.1 Military-Grade AES-256 Encryption

Your financial data is protected with the same encryption used by banks and government agencies. We implement AES-256 encryption, which is virtually unbreakable and would take billions of years to crack with current technology.

  • Client-Side Encryption: Data is encrypted on your device before being sent to our servers
  • Unique Encryption Keys: Each user has unique encryption keys derived from their credentials
  • PBKDF2 Key Derivation: 100,000+ iterations make brute force attacks impractical
  • Automatic Encryption: All sensitive data is encrypted automatically without user intervention

2.2 What Gets Encrypted

The following sensitive information is encrypted end-to-end:

  • All financial transactions (expenses, income, investments)
  • Personal financial details (account numbers, card information)
  • Investment portfolio data and holdings
  • Budget information and financial goals
  • Family financial data and shared expenses
  • Notes and descriptions containing sensitive information
  • Payment method details and banking information

2.3 In-Transit Encryption

  • All data transmitted between your device and our servers uses TLS 1.3 encryption
  • HTTPS protocol is enforced on all connections with HSTS headers
  • Certificate pinning prevents man-in-the-middle attacks
  • Perfect Forward Secrecy ensures past communications remain secure

2.4 At-Rest Encryption

  • All data stored in our databases uses AES-256 encryption
  • Encryption keys are managed securely using Google Cloud KMS
  • Database-level encryption with automatic key rotation
  • Encrypted backups stored in geographically distributed locations

3. Authentication & Access Control

3.1 Strong Authentication

  • Passwords are hashed using bcrypt with salt
  • Multi-factor authentication (MFA) support available
  • Secure session management with automatic timeout
  • OAuth 2.0 integration with trusted providers (Google, Firebase)

3.2 Access Control

  • Role-based access control (RBAC) for different user types
  • Principle of least privilege - users only access necessary data
  • Admin access is restricted and logged
  • Regular access reviews and audits

4. Infrastructure Security

4.1 Cloud Infrastructure

  • Hosted on Google Cloud Platform (GCP) with enterprise-grade security
  • Data centers with physical security, surveillance, and access controls
  • Redundant systems and automatic failover for high availability
  • Regular security certifications and compliance audits

4.2 Network Security

  • Advanced firewalls and intrusion detection systems
  • DDoS protection and mitigation
  • Web Application Firewall (WAF) to prevent common attacks
  • Regular penetration testing and vulnerability assessments

4.3 Database Security

  • Firestore database with built-in security rules
  • Automated backups with encryption
  • Point-in-time recovery capabilities
  • Database activity monitoring and logging

5. Data Backup & Recovery

  • Automatic daily backups of all user data
  • Geographically distributed backup locations
  • Encrypted backup storage
  • Regular backup restoration tests
  • Disaster recovery plan with RTO of 4 hours and RPO of 1 hour

6. Monitoring & Logging

6.1 Security Monitoring

  • 24/7 security monitoring and threat detection
  • Real-time alerts for suspicious activities
  • Automated response to security incidents
  • Security Information and Event Management (SIEM) system

6.2 Audit Logging

  • All user actions are logged with timestamps
  • Administrative actions are separately logged and reviewed
  • Logs are retained for 90 days minimum
  • Logs are encrypted and tamper-protected

7. Vulnerability Management

  • Regular security code reviews and static analysis
  • Quarterly penetration testing by third-party security firms
  • Vulnerability scanning and patch management
  • Bug bounty program for responsible disclosure
  • Rapid patching of identified vulnerabilities

8. Compliance & Standards

Rupiya complies with the following standards and regulations:

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • ISO 27001: Information Security Management
  • SOC 2: Service Organization Control
  • OWASP: Web Application Security standards
  • PCI DSS: Payment Card Industry Data Security Standard (where applicable)

9. Data Minimization

We follow the principle of data minimization - we collect only the minimum data necessary to provide our services. We do not collect unnecessary personal information and regularly purge data that is no longer needed.

10. Third-Party Security

  • All third-party vendors undergo security assessments
  • Vendors must comply with our security requirements
  • Data Processing Agreements (DPA) are in place with all vendors
  • Regular audits of third-party security practices

11. Incident Response

11.1 Incident Response Plan

  • Documented incident response procedures
  • Incident response team on standby 24/7
  • Rapid containment and mitigation procedures
  • Post-incident analysis and improvements

11.2 Breach Notification

In the unlikely event of a data breach, we will notify affected users within 72 hours as required by law, providing details of the breach and steps to protect your information.

12. Employee Security

  • Background checks for all employees with data access
  • Mandatory security training and awareness programs
  • Confidentiality and non-disclosure agreements
  • Principle of least privilege for employee access
  • Regular security audits of employee activities

13. Your Security Responsibilities

While we implement strong security measures, you also play an important role:

  • Keep your password strong and unique
  • Never share your login credentials with anyone
  • Use a secure device and network when accessing the Application
  • Enable multi-factor authentication if available
  • Log out when finished, especially on shared devices
  • Report suspicious activities immediately

14. Security Updates

  • Regular security patches and updates
  • Zero-day vulnerability response procedures
  • Automatic updates for critical security issues
  • Security advisories published on our website

15. Contact & Reporting

If you discover a security vulnerability or have security concerns, please report it to:

  • Email: help.rupiya@gmail.com
  • Response Time: We aim to respond within 24 hours
  • Confidentiality: We will keep your report confidential