EASYCRED
Popular LoansPersonal LoanGold LoanBusiness Loan
Personal Loan EMIHome Loan EMIBusiness Loan EMICar Loan EMIWorking Capital EMILoan Against Property EMI
Knowledge HubNews & Media
CompanyTeamCareers
Partner Sign In
Legal & Compliance

Application Security Policy

Ensuring secure software development and deployment practices at EASYCRED — secure by design, resilient, and compliant.

Last updated: April 2026 FLUXCAP SOFTWARE PRIVATE LIMITED

On this page

  • Security First Approach
  • Scope
  • Secure Development Lifecycle
  • Authentication & Authorization
  • Data Handling
  • API Security
  • Web & Mobile App Security
  • Testing & Deployment
  • Monitoring & Incident Handling
  • Developer Responsibilities
  • Corporate Information

Security First Approach

To ensure that all software developed, tested, and deployed by EASYCRED is secure by design, resilient against common vulnerabilities, and compliant with RBI/CERT-In and global best practices.

Scope

This policy applies to all software and systems within the EASYCRED ecosystem, including:

  • EASYCRED website (easycred.co.in)
  • Mobile applications (iOS, Android)
  • APIs and integrations (loan partners, payment gateways, KYC vendors)
  • Internal admin dashboards, CRM, and employee tools

Secure Development Lifecycle (SDLC)

  • Threat Modeling: Conduct threat analysis for every new feature (e.g., loan disbursal API, KYC verification).
  • Static Analysis (SAST): All code must pass automated scans for SQLi, XSS, hardcoded secrets, etc.
  • Dependency Management: Only use approved libraries/packages; run regular vulnerability checks (e.g., npm audit, snyk).
  • Code Review: Peer review required before merging. Security-critical changes must be reviewed by a senior engineer.

Authentication & Authorization

  • Enforce OAuth 2.0 / JWT tokens for API calls.
  • Implement role-based access control (RBAC) for customers, admins, and vendors.
  • Sessions expire after 15 minutes of inactivity.
  • Enforce Multi-Factor Authentication (MFA) for admin and partner logins.

Data Handling

  • PII Protection: Aadhaar, PAN, bank details, etc. must be encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Data Minimization: Collect only necessary information for loan processing.
  • Masking: Display only partial sensitive data (e.g., last 4 digits of Aadhaar).
  • Audit Logs: Record access to PII with immutable logging.

API Security

  • All APIs must be authenticated (no anonymous endpoints).
  • Use rate limiting & throttling to prevent abuse.
  • Validate all inputs with whitelisting, not blacklisting.
  • Implement HMAC or signature-based verification for partner APIs.
  • Monitor for anomalies (e.g., repeated failed OTP verifications).

Web & Mobile App Security

  • Prevent OWASP Top 10 vulnerabilities: SQLi, XSS, CSRF, IDOR, SSRF, etc.
  • Use Content Security Policy (CSP) to reduce XSS.
  • Apply certificate pinning in mobile apps to prevent MITM attacks.
  • Store secrets (API keys, DB credentials) only in vaults (e.g., AWS KMS, HashiCorp Vault).
  • Enforce automatic updates and bug fix rollouts.

Testing & Deployment

  • Penetration Testing: External penetration tests at least quarterly.
  • Bug Bounty Program: Encourage responsible disclosure from ethical hackers.
  • Staging Environment: All features tested in staging with production-like data (synthetic, not real PII).
  • Zero-Downtime Deployment: Blue-Green or Canary releases to reduce risk.

Monitoring & Incident Handling

  • Enable real-time monitoring of application logs (API errors, authentication failures).
  • Alerts must be sent to the Security Operations Center (SOC) if anomalies detected.
  • Quick rollback mechanism in case of faulty deployments.

Developer Responsibilities

  • Mandatory annual security training (OWASP, secure coding).
  • Immediate reporting of suspected vulnerabilities.
  • No use of personal devices for production code access.
  • Developers must not store production data locally.

Corporate Information

  • Company Name: FLUXCAP SOFTWARE PRIVATE LIMITED
  • CIN: U62013BR2024PTC070795
  • GSTIN: 10AAGCF0269F1Z5
  • Incorporated: 2024
  • Corporate Office: Software Technology Park of India, Incubation Center 6, Patliputra, Patna, Bihar 800013
  • Email Support: support@easycred.co.in · compliance@easycred.co.in
  • Business Hours: Mon – Sat: 9:00 AM – 8:00 PM | Sunday: 10:00 AM – 6:00 PM

EASYCRED

AI-powered loan aggregator connecting you with RBI-registered NBFCs and India's top fintech lenders - compare, apply and track, paperlessly.

WhatsApp AI Assistant

Loan Products

  • Personal Loan
  • Home Loan
  • Car Loan
  • Business Loan
  • Working Capital
  • Loan Against Property

Corporate

  • About Us
  • Our Lenders
  • Careers
  • Partner with Us

Resources

  • Knowledge Hub
  • News & Media

Grievance Redressal

  • Sachet Portal
  • Digital Lending Guidelines
  • Guidelines on Default Loss Guarantee (FLDG)

Policy

  • Privacy Policy
  • Terms of Service
  • Refund Policy
  • Security Policy
  • Cookie Policy
  • Consent Policy

Contact

  • support@easycred.co.in
  • compliance@easycred.co.in
  • Software Technology Park of India, Incubation Center 6, Patliputra, Patna, Bihar 800013
Other Products from FLUXCAP SOFTWARE PRIVATE LIMITED:ASTROCRED
Follow Us on Social Media:
Legal Name: FLUXCAP SOFTWARE PRIVATE LIMITEDCIN: U62013BR2024PTC070795GSTIN: 10AAGCF0269F1Z5

EASYCRED is a loan aggregator platform operated by FLUXCAP SOFTWARE PRIVATE LIMITED and is not a direct lender, bank or NBFC. Loan approval, interest rates and disbursal are at the sole discretion of our RBI-registered lending partners. Credit products are subject to eligibility - please review all terms before availing.

© 2026 FLUXCAP SOFTWARE PRIVATE LIMITED. All rights reserved.

Privacy·Terms·Cookies

A FLUXCAP SOFTWARE PRIVATE LIMITED product