Explore wider investment opportunities across various debt instruments enabled by hassle-free online execution and post-settlement support.
Get access to 500+ investors from public and private sector banks, mutual fund companies, NBFCs, insurance companies and more.Sign up
Here’s your one-way ticket to the largest collection of bonds and NCDs online. Start your investment journey on the right foot with Plutus.Sign up
CredAvenue protects its systems with a comprehensive assortment of security best practices and controls. At Vivriti Capital, the security of systems and applications along with confidentiality of data is of utmost importance. Vivriti Capital protects its systems and actively mitigates potential threats by adhering to a complex set of best practices, including documented and audited processes for providing secure service. Our facilities are governed by industry best practices and standards e.g., ISO - IEC 27001-2013. Our association with KPMG as IT Security partner enhances our security posture.
At CredAvenue, we ensure to be always compliant with the India’s Data Protection Bill (Draft) and do not sell or rent your information or data to anyone. Your information will also be not used for any advertisements including personalized or targeted advertising.
All your information available with us will be protected for confidentiality, Integrity and availability. Unless authorized/consent provided by you, we will not be sharing any of your information in complete/partial with anyone.
Securing data is our prime objective of the security assurance program. All data stored with us are encrypted both at rest and in transit by default. The communication between the platform and the production servers happens over an AES 256-bit encrypted tunnel which makes it impossible for hackers to tap the data.
Users will not be able to access the application platform without credentials. In addition to username and password, users are prompted for OTP (One-Time Password) before providing access to the application environment.
The data that is supplied to us from our customers/clients/investors are picked up using a secure tunnel enabled with Transport Layer Security (TLS) Database which stores all data is secured with defense in depth control mechanism.
Access to data stored on database is restricted to only authorized application users, Data cannot be accessed outside of application, as direct access to data is restricted.
CredAvenue ensures unique user identifier are created for every personnel requesting access to the application, usage of generic or shared credentials is completely restricted.
User access reviews are conducted periodically to ensure, least privilege and segregation of duties are applied for all platform users and to achieve an controlled user environment.
CredAvenue Security Assurance (CASA) program covers a detailed product security requirements and compliance components. Which includes incorporating security into the software development activities.
Our Application platform is assessed annually by a Cert-In Empaneled Independent Auditors for compliance. In addition, we have an internal team of security professionals who handle periodic vulnerability assessment and penetration testing activities.
The CI/CD (Continuous Integration/Continuous Deployment) pipeline is implemented with appropriate checks and balances for security controls which includes testing of applications before passing on to next stage.
Perimeter level application protection enables the protection against application related threats including threats arising out of 3rd party components used.
CredAvenue is hosted on a Virtual Private Cloud on Amazon Web Services in a multi-tenant architecture. This architecture is high resilient to scale along with the requirement, providing us a more reliable and consistent environment.
CredAvenue application infrastructure is protected against advanced cyber-attacks by having powerful security controls for complete run time visibility, application threat map, comprehensive protection against known and unknown threats including 0-day vulnerabilities, file less attacks, memory execution protections and file integrity monitoring, to name few.
We have enabled a clear segregation of network between our client operating environments and development environments to ensure Zero-Trust across the platform.
CredAvenue Infrastructures are launched with CIS benchmark standard for ensuring baseline compliance.
All our endpoints are enforced with zero-trust solution, which lockdowns all services and processes by default and allows only authorized processes to execute.
Controlled admin privileges are enabled for our developers to ensure that development activities are aligned with the assurance program. Next-Gen Cloud Security Access Broker ensures all cloud native applications used within the operating environments are controlled.
All Internet traffics are monitored and controlled through secure web gateway.
CredAvenue endpoints are monitored for compliance 24*7*365 days. In order to achieve zero down time, auto responding capabilities are enabled for blocking malicious network traffic and controlling network traffic.
Continuous vulnerability assessments are performed on endpoints to track the security posture of the operating environment.
Real time replication of data is enabled at redundant data center for ensuring high availability and to solve the purpose of DR.
Our core application and infrastructure are managed as code which significantly reduces the RTO (Recovery Time Objective).
In addition to standard backup, we also enabled a centralized backup of data to be in compliance with the regulatory requirements.
Data localization is achieved by ensuring all our data are stored within India. Ability to perform restoration at component (granular) level to ensure prioritizing the restoration of critical assets.
CredAvenue incorporates secure coding principles into its development practices. Some of the development principles include:
Minimize attack surface area
Establish secure defaults
Apply least privilege
Don’t trust third-party services/data
Separation of duties
Avoid security by obscurity
Keep security simple
Fix security issues correctly
In addition to 3rd party security assessment, direct application security vulnerability assessments and penetration tests are regularly conducted against CredAvenue. These assessments are conducted internally by the security engineering team separate from the products team (as second set of unbiased eyes). Direct assessments utilize testing checklist such as OWASP testing guide to test the OWASP Top 10 risks.
Application security requirements, specifications, and features
With a goal to incorporate security at the earliest possible phase of the product lifecycle, CredAvenue captures and strives to incorporate specific application security requirements during the concept/design phases of the product lifecycle.
These requirements are normally derived from industry standard best practice guidelines such as the OWASP Development Guide and Security Cheat Sheet Series projects. Some common application security requirements injected in to CredAvenue products fall into the following high-level categories:
Security Engineering’s core responsibilities include:
Promoting security in all products and secure software development practices
Acting as custodians for the CredAvenue Security Assurance Program (i.e., the CASA Program)
Tracking the security maturity of all products and reporting overall risk postures to Engineering Management
Regularly liaising with and supporting Security Advocates and their product teams
Providing security related subject matter expertise, SAST and DAST support, and training to all product teams for SAST and DAST related tools and activities
Performing direct application security vulnerability assessments and penetration tests as required
Tracking all vulnerabilities, threats, and customer reported security issues holistically and ensuring they are being risk treated according to their severity ratings
Working with CredAvenue Customer Support and customers to investigate and seek resolution to customer reported security issues, questions, and concerns
Working in cooperation with the CredAvenue Global Information Security team on various security related initiatives
Keeping abreast of new security related threats and trends, attack techniques, tools, and methodologies
CredAvenue is committed to protecting the personal data of our customers. To read our policy statement outlining our principles with respect to personal data collected, processed, and used via our website, visit: