CredAvenue Security
Assurance Statement

Product Security
Objective

The goals of the CredAvenue Security Assurance (CASA) program are to ensure that all our products, solutions and services are designed, developed, and maintained with security in mind, and to provide all our customers with the assurance that their information and assets always remains secure. This document is created with the intention to provide a high level architectural view and security & privacy controls components of the program.
Overview

CredAvenue protects its systems with a comprehensive assortment of security best practices and controls. At Vivriti Capital, the security of systems and applications along with confidentiality of data is of utmost importance. Vivriti Capital protects its systems and actively mitigates potential threats by adhering to a complex set of best practices, including documented and audited processes for providing secure service. Our facilities are governed by industry best practices and standards e.g., ISO - IEC 27001-2013. Our association with KPMG as IT Security partner enhances our security posture.

Privacy Practices

At CredAvenue, we ensure to be always compliant with the India’s Data Protection Bill (Draft) and do not sell or rent your information or data to anyone. Your information will also be not used for any advertisements including personalized or targeted advertising.

All your information available with us will be protected for confidentiality, Integrity and availability. Unless authorized/consent provided by you, we will not be sharing any of your information in complete/partial with anyone.

Data Security

Securing data is our prime objective of the security assurance program. All data stored with us are encrypted both at rest and in transit by default. The communication between the platform and the production servers happens over an AES 256-bit encrypted tunnel which makes it impossible for hackers to tap the data.

Users will not be able to access the application platform without credentials. In addition to username and password, users are prompted for OTP (One-Time Password) before providing access to the application environment.

The data that is supplied to us from our customers/clients/investors are picked up using a secure tunnel enabled with Transport Layer Security (TLS) Database which stores all data is secured with defense in depth control mechanism.

Access to data stored on database is restricted to only authorized application users, Data cannot be accessed outside of application, as direct access to data is restricted.

User Administration

CredAvenue ensures unique user identifier are created for every personnel requesting access to the application, usage of generic or shared credentials is completely restricted.

User access reviews are conducted periodically to ensure, least privilege and segregation of duties are applied for all platform users and to achieve an controlled user environment.

Application Security

CredAvenue Security Assurance (CASA) program covers a detailed product security requirements and compliance components. Which includes incorporating security into the software development activities.

Our Application platform is assessed annually by a Cert-In Empaneled Independent Auditors for compliance. In addition, we have an internal team of security professionals who handle periodic vulnerability assessment and penetration testing activities.

The CI/CD (Continuous Integration/Continuous Deployment) pipeline is implemented with appropriate checks and balances for security controls which includes testing of applications before passing on to next stage.

Perimeter level application protection enables the protection against application related threats including threats arising out of 3rd party components used.

Cloud Security

CredAvenue is hosted on a Virtual Private Cloud on Amazon Web Services in a multi-tenant architecture. This architecture is high resilient to scale along with the requirement, providing us a more reliable and consistent environment.

CredAvenue application infrastructure is protected against advanced cyber-attacks by having powerful security controls for complete run time visibility, application threat map, comprehensive protection against known and unknown threats including 0-day vulnerabilities, file less attacks, memory execution protections and file integrity monitoring, to name few.

We have enabled a clear segregation of network between our client operating environments and development environments to ensure Zero-Trust across the platform.

CredAvenue Infrastructures are launched with CIS benchmark standard for ensuring baseline compliance.

Endpoint Security

All our endpoints are enforced with zero-trust solution, which lockdowns all services and processes by default and allows only authorized processes to execute.

Controlled admin privileges are enabled for our developers to ensure that development activities are aligned with the assurance program. Next-Gen Cloud Security Access Broker ensures all cloud native applications used within the operating environments are controlled.

All Internet traffics are monitored and controlled through secure web gateway.

Monitoring

CredAvenue endpoints are monitored for compliance 24*7*365 days. In order to achieve zero down time, auto responding capabilities are enabled for blocking malicious network traffic and controlling network traffic.

Continuous vulnerability assessments are performed on endpoints to track the security posture of the operating environment.

Business Continuity & Disaster Recovery

Real time replication of data is enabled at redundant data center for ensuring high availability and to solve the purpose of DR.

Our core application and infrastructure are managed as code which significantly reduces the RTO (Recovery Time Objective).

In addition to standard backup, we also enabled a centralized backup of data to be in compliance with the regulatory requirements.

Data localization is achieved by ensuring all our data are stored within India. Ability to perform restoration at component (granular) level to ensure prioritizing the restoration of critical assets.

Application Development

CredAvenue incorporates secure coding principles into its development practices. Some of the development principles include:

Minimize attack surface area

Establish secure defaults

Apply least privilege

Apply defense-in-depth

Fail securely

Don’t trust third-party services/data

Separation of duties

Avoid security by obscurity

Keep security simple

Fix security issues correctly

In addition to 3rd party security assessment, direct application security vulnerability assessments and penetration tests are regularly conducted against CredAvenue. These assessments are conducted internally by the security engineering team separate from the products team (as second set of unbiased eyes). Direct assessments utilize testing checklist such as OWASP testing guide to test the OWASP Top 10 risks.

Concept and Design

Application security requirements, specifications, and features

With a goal to incorporate security at the earliest possible phase of the product lifecycle, CredAvenue captures and strives to incorporate specific application security requirements during the concept/design phases of the product lifecycle.

These requirements are normally derived from industry standard best practice guidelines such as the OWASP Development Guide and Security Cheat Sheet Series projects. Some common application security requirements injected in to CredAvenue products fall into the following high-level categories:

Identity Management

Authentication

Session Management

Security Engineering’s core responsibilities include:

Promoting security in all products and secure software development practices

Acting as custodians for the CredAvenue Security Assurance Program (i.e., the CASA Program)

Tracking the security maturity of all products and reporting overall risk postures to Engineering Management

Regularly liaising with and supporting Security Advocates and their product teams

Providing security related subject matter expertise, SAST and DAST support, and training to all product teams for SAST and DAST related tools and activities

Performing direct application security vulnerability assessments and penetration tests as required

Tracking all vulnerabilities, threats, and customer reported security issues holistically and ensuring they are being risk treated according to their severity ratings

Working with CredAvenue Customer Support and customers to investigate and seek resolution to customer reported security issues, questions, and concerns

Working in cooperation with the CredAvenue Global Information Security team on various security related initiatives

Keeping abreast of new security related threats and trends, attack techniques, tools, and methodologies

Privacy and Security Policy

CredAvenue is committed to protecting the personal data of our customers. To read our policy statement outlining our principles with respect to personal data collected, processed, and used via our website, visit: