VizibleLegal

Vizible Legal

Information Security

Effective: 7 May 2026Version 1.0-draft

Technical and organisational security measures we maintain.

FYNBIT TECH PRIVATE LIMITED maintains a security programme designed to protect the confidentiality, integrity and availability of the Vizible platform and the personal data we process on behalf of our Tenants. This page summarises the key technical and organisational measures we have in place. It is intended both for transparency and to support due-diligence reviews by Tenants and their security teams.

1. Hosting & infrastructure

  • Application, database and storage are hosted on Oracle Cloud Infrastructure in the Mumbai (ap-mumbai-1) region.
  • Network segmentation between public, application and database tiers.
  • TLS 1.2+ enforced for all browser, mobile and API traffic.
  • Daily database snapshots with rolling 30-day retention; backups encrypted at rest.
  • Monitoring and alerting on application availability, error rate and security events.

2. Authentication & access

  • Passwords are stored salted and hashed using bcrypt; plain-text passwords are never written to logs or storage.
  • Multi-factor authentication is available for Tenant Users via WebAuthn (FIDO2) and email OTP.
  • Email-OTP verification is required during initial signup; codes are valid for ten minutes.
  • Role-based access control on every Workspace; permissions are enforced server-side.
  • Session tokens are signed JWTs with limited lifetime; refresh requires re-authentication after inactivity.
  • Internal staff access to production is limited to authorised personnel, requires MFA, and is logged.

3. Data protection

3.1 Encryption

  • Encryption in transit: TLS 1.2+ on all external interfaces.
  • Encryption at rest: enabled on the database, file storage and backups.
  • Secrets and integration credentials in the in-product Vault are encrypted with per-Tenant keys.

3.2 Payments

FYNBIT does not store full card numbers, CVV or other regulated payment instrument data. Payments are tokenised by our gateways (Razorpay, Fynbit Wallet) which are independently certified. We retain only the gateway IDs, amount, status and reconciliation metadata required to operate the service.

3.3 Tenant isolation

Tenant data is logically isolated through scoped queries enforced at the application layer; cross-Tenant access is prevented by strict tenant context checks on every authenticated request.

4. Application security

  • Input validation on all API endpoints; ORM-parameterised queries to prevent SQL injection.
  • Output encoding and React's default escaping to mitigate cross-site scripting.
  • CSRF protection on state-changing endpoints; same-site cookie attributes set appropriately.
  • Dependency scanning and security patching on a regular cadence.
  • Code review required for all changes to security-sensitive paths.
  • Audit logging of significant administrative and security events with at least 12 months retention.

5. Operational security

  • Onboarding/offboarding workflows for staff; immediate revocation of access on departure.
  • Least-privilege principle for production access.
  • Confidentiality undertakings for all employees and contractors with access to Tenant data.
  • Sub-processors are reviewed before engagement; their security postures are monitored over time.

6. Incident response & breach notification

Notification commitments.
  • GDPR personal-data breaches affecting EU/UK individuals: notification to the lead supervisory authority within seventy-two (72) hours of becoming aware, where required by GDPR Art. 33.
  • DPDP Act personal-data breaches: notification to the Data Protection Board of India and to affected Data Principals as required under §8(6) of the DPDP Act and the rules made under it.
  • U.S. state breach laws: notification to affected residents and (where required) state Attorneys General within statutory timelines.
  • Tenants will be notified without undue delay so they can fulfil their own controller obligations.

7. Compliance posture

  • Reasonable security practices and procedures aligned with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
  • Programme designed against the ISO/IEC 27001 control set; formal certification roadmap in progress.
  • GDPR Article 32 technical and organisational measures, supplemented by Standard Contractual Clauses where applicable.
  • RBI / Payment Aggregator handling of card data is delegated to certified gateway partners; FYNBIT does not store cardholder data.

8. Tenant responsibilities

Security is a shared responsibility. Tenants must protect their own credentials, enable MFA for administrators, follow least-privilege when assigning roles to Tenant Users, and ensure End-Customer consent for communications and (where applicable) for the EAMS monitoring features.

9. Reporting security issues

Please report suspected vulnerabilities to security@vizible.in. We will acknowledge within 72 hours and work with you to validate and remediate. Researchers acting in good faith under our Acceptable Use Policy §6 will not be subject to legal action.

Questions about this policy? Email legal@vizible.in.

FYNBIT TECH PRIVATE LIMITED — operator of the Vizible platform at vizible.in.