Security First Approach
To ensure that all software developed, tested, and deployed by EASYCRED is secure by design, resilient against common vulnerabilities, and compliant with RBI/CERT-In and global best practices.
Scope
This policy applies to all software and systems within the EASYCRED ecosystem, including:
- EASYCRED website (easycred.co.in)
- Mobile applications (iOS, Android)
- APIs and integrations (loan partners, payment gateways, KYC vendors)
- Internal admin dashboards, CRM, and employee tools
Secure Development Lifecycle (SDLC)
- Threat Modeling: Conduct threat analysis for every new feature (e.g., loan disbursal API, KYC verification).
- Static Analysis (SAST): All code must pass automated scans for SQLi, XSS, hardcoded secrets, etc.
- Dependency Management: Only use approved libraries/packages; run regular vulnerability checks (e.g., npm audit, snyk).
- Code Review: Peer review required before merging. Security-critical changes must be reviewed by a senior engineer.
Authentication & Authorization
- Enforce OAuth 2.0 / JWT tokens for API calls.
- Implement role-based access control (RBAC) for customers, admins, and vendors.
- Sessions expire after 15 minutes of inactivity.
- Enforce Multi-Factor Authentication (MFA) for admin and partner logins.
Data Handling
- PII Protection: Aadhaar, PAN, bank details, etc. must be encrypted at rest (AES-256) and in transit (TLS 1.3).
- Data Minimization: Collect only necessary information for loan processing.
- Masking: Display only partial sensitive data (e.g., last 4 digits of Aadhaar).
- Audit Logs: Record access to PII with immutable logging.
API Security
- All APIs must be authenticated (no anonymous endpoints).
- Use rate limiting & throttling to prevent abuse.
- Validate all inputs with whitelisting, not blacklisting.
- Implement HMAC or signature-based verification for partner APIs.
- Monitor for anomalies (e.g., repeated failed OTP verifications).
Web & Mobile App Security
- Prevent OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, SSRF, etc.
- Use Content Security Policy (CSP) to reduce XSS.
- Apply certificate pinning in mobile apps to prevent MITM attacks.
- Store secrets (API keys, DB credentials) only in vaults (e.g., AWS KMS, HashiCorp Vault).
- Enforce automatic updates and bug fix rollouts.
Testing & Deployment
- Penetration Testing: External penetration tests at least quarterly.
- Bug Bounty Program: Encourage responsible disclosure from ethical hackers.
- Staging Environment: All features tested in staging with production-like data (synthetic, not real PII).
- Zero-Downtime Deployment: Blue-Green or Canary releases to reduce risk.
Monitoring & Incident Handling
- Enable real-time monitoring of application logs (API errors, authentication failures).
- Alerts must be sent to the Security Operations Center (SOC) if anomalies detected.
- Quick rollback mechanism in case of faulty deployments.
Developer Responsibilities
- Mandatory annual security training (OWASP, secure coding).
- Immediate reporting of suspected vulnerabilities.
- No use of personal devices for production code access.
- Developers must not store production data locally.
Corporate Information
- Company Name: FLUXCAP SOFTWARE PRIVATE LIMITED
- CIN: U62013BR2024PTC070795
- GSTIN: 10AAGCF0269F1Z5
- Incorporated: 2024
- Corporate Office: Software Technology Park of India, Incubation Center 6, Patliputra, Patna, Bihar 800013
- Email Support: support@easycred.co.in · compliance@easycred.co.in
- Business Hours: Mon – Sat: 9:00 AM – 8:00 PM | Sunday: 10:00 AM – 6:00 PM