Please fill in the form to get access to our documentation.
Security and Compliance

Transparency and Security form the foundation of everything we do at FinBox.
Since Day One, our priority has been to protect all client, partner, and internal data and assets, while remaining compliant with cutting-edge standards and regulations.
Through the years, we have ensured the highest standards of compliance and worked to continually monitor, test, and optimise our security standards and procedures.
Our security strategy covers data security, Risk Management, infrastructure security, business continuity, disaster recovery, vendor management, identity and access control.
iconsISO 27001:2013International standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organisation's overall business risks.
iconsSOC 2 Type IIAttests to the sustained operational reliability of the controls relevant to the Trust Service Criterion (TSC) — security, availability, and confidentiality of the information processed by FinBox systems.
Safe-To-Host Certificate (VAPT) by Cert-IN empanelled:Signifies a verified and secure hosting environment, supported by stringent cybersecurity measures.
Specified User Certificate - CIBIL:Signifies authorisation to access and utilise credit information provided by Credit Information Bureau of India Limited (CIBIL).
Specified User Certificate - Experian:Signifies authorisation to access and utilise credit information provided by Experian.
Specified User Certificate - CRIF:Signifies authorisation to access and utilise credit information provided by CRIF High Mark.
SAR-CICRA for Specified User (RBI):Demonstrates an adherence to robust cybersecurity and comprehensive information security practices as per the Credit Information Companies (Regulation) Act (CICRA). FinBox undergoes this audit every six months.
SAR Audit by Cert-IN empanelled:Independent evaluation of the organisation's cybersecurity measures. Ensures adherence to industry best practices and complete regulatory compliance.
Network VAPT by Cert-IN empanelled: Essential to fortify online security, meet regulatory requirements, and assure users that their financial data is protected from potential cyber threats.
Frequently Asked Questions
Does FinBox have an information security policy and procedure? Yes, FinBox is ISO 27001 certified.
How often does FinBox perform VAPT?VAPT is performed by a CERT-IN empanelled vendor annually. VA scans are done every quarter by a CERT-IN empanelled vendor.
What are the encryption mechanisms used by FinBox?FinBox uses AES 256-bit DAR (data-at-rest) encryption. For data-in-transit, FinBox uses Transport Layer Security (TLS).
Does FinBox have a Change Management/SDLC Policy?Yes, FinBox does have a Change Management Policy, which contains details about procedures for any change in FinBox's information systems, environment, and services.
Does FinBox have a patch management policy?Yes, FinBox does have a Vulnerability Assessment and Patch Management Policy. VA scans are done quarterly, and yearly patch testing is done by a CERT-IN empanelled entity.
Does FinBox have an incident management policy and procedure? Yes, FinBox does have an Incident Management Policy that lays out a comprehensive ‘roles and responsibilities’ matrix.
Does FinBox have a physical security policy and procedure?FinBox does have a policy for physical and environmental security that contains details about secure areas and equipment usage.
Does FinBox have third-party vendor risk management procedures?Yes, FinBox does have a policy for third-party vendors that lays out risk management procedures.
Does FinBox have an Enterprise/Operational Risk Management Policy?Yes, FinBox has a defined risk assessment and treatment methodology. We perform risk assessment at periodic intervals and maintain details in a risk register.
Does FinBox conduct background checks of its employees?Yes, FinBox conducts thorough background checks to verify identity, criminal records (if any), and previous employment.