Security & Trust · India-First

Security built for
Indian financial institutions.

FraudIntel India is designed from the ground up for the Indian regulatory environment. CERT-In compliant. RBI cyber framework aligned. Data never leaves Indian infrastructure. Full audit trails. No global vendor can match India-specific regulatory posture.

Request Security Briefing → View Compliance Matrix Responsible Disclosure
IT Act 2000 CERT-In Directions 2022 DPDP Act 2023 RBI Cyber Framework IT Rules 2021 SPDI Rules 2011 NBFC IT Framework
● LIVE SYSTEM STATUS
All systems operational
PLATFORM
Operational
API
<200ms avg
CERT-In
Compliant
ACTIVE INCIDENTS
None
ENCRYPTION
TLS 1.3
LOG RETENTION
180 Days
DATA RESIDENCY
India only
DPDP ACT
Compliant (2027)
PASSWORDS
bcrypt hashed
RATE LIMITING
Active
LAST AUDIT
Apr 2026
PENTEST
Q3 2026
Last updated: checking...
Why India-First Matters

What global vendors can't give you.

Verafye, Signzy, Bureau.id — none of them are built for CERT-In, DPDP Act, or the RBI Cyber Security Framework. We are. Here's what that means in practice.

🏛️
CERT-In Directions 2022 — Full Compliance
All incidents reported to CERT-In within the mandated 6-hour window. Security Officer designated (Jeh Makwana, CEO). System logs maintained for 180 days. Mandatory synchronisation with NTP servers of NIC/NPKI. Audit trail complete and auditable.
6-Hour Reporting 180-Day Logs Officer Designated
🇮🇳
Data Never Leaves India
All data processed and stored on Railway (Singapore-India region) and Neon PostgreSQL (AWS ap-southeast-1). No data sent to US or EU servers. Meets RBI data localisation requirements for payment system data. Fully DPDP Act 2023 aligned for data residency obligations.
India Infra Only RBI Data Local No Cross-Border
🏦
RBI Cyber Security Framework Aligned
Architecture aligns with RBI's Cyber Security Framework for Banks (2016) and subsequent circulars. Supports banks' vendor risk assessment requirements. Security controls mapped to RBI guidelines. Suitable for use as a third-party fraud intelligence vendor by scheduled commercial banks.
RBI CSF 2016 Vendor Risk Ready SCB Compatible
🔐
DPDP Act 2023 — Ready for 2025 Rules
Designated Grievance Officer under IT Rules 2021. Consent-based data collection. Right to erasure supported via /data-deletion. Data minimisation — only fraud intelligence data collected, no unnecessary PII stored. Fully prepared for DPDP Rules notification expected by the Government of India.
Grievance Officer Consent-Based Right to Erase
Compliance Matrix

FraudIntel vs global vendors.

Security page comparisons are easy to game. This table only claims what we've actually implemented — and shows where global vendors structurally cannot compete for Indian financial institutions.

REQUIREMENT FRAUDINTEL INDIA VERAFYE / GLOBAL INDIAN INCUMBENTS
CERT-In 6-hour incident reporting Compliant · Officer designated India not primary market ~ Varies
RBI data localisation (payments) All data in India infra US/EU hosted Usually
DPDP Act 2023 alignment Grievance officer + consent + erasure GDPR-based, not India ~ In progress
IT Act 2000 / SPDI Rules 2011 Fully compliant Not applicable to them Generally
RBI Cyber Security Framework 2016 Architecture aligned Not designed for it ~ Some
India-specific fraud signal sources CERT-In, RBI, I4C, cybercrime.gov.in No India-native signals ~ Limited
Password encryption bcrypt + SHA-256 fallback ~ Unknown ~ Unknown
API rate limiting Per-route + global limits Yes ~ Varies
JWT authentication + expiry Signed tokens, auto-expiry Yes ~ Most
Audit log retention 180 days (CERT-In mandated) ~ Varies by contract ~ Varies
Free for law enforcement Always free, no contract No No
Formal penetration test ~ Planned Q3 2026 ~ Varies ~ Varies
ISO 27001 certification ~ Roadmap 2027 Some have it ~ Some
* We only claim what we have actually implemented. We do not overclaim certifications pending or not yet achieved.
Infrastructure

Where your data lives and how it moves.

Full transparency on our infrastructure. Every layer is India-hosted or India-region cloud. No data crosses to US or EU at any point in normal operation.

INGRESS — EXTERNAL REQUESTS
Bank / NBFC API Client
End User (fraudintel.in)
Law Enforcement Portal
HTTPS / TLS 1.3 only — all plaintext connections rejected
EDGE — RAILWAY.APP (Singapore · AWS ap-southeast-1)
Express.js Server
Helmet CSP Headers
Rate Limiter (300 req/15min global)
JWT Auth Middleware
Input Sanitisation
Internal only — no public DB access
DATA — NEON POSTGRESQL (AWS ap-southeast-1 · Singapore)
Fraud Reports DB
Entity Intelligence DB
User Accounts (bcrypt)
Payments Audit Table
Agent Memory + Logs
Encrypted connections only · connection pooling · auto-suspend when idle
EXTERNAL SERVICES — INDIA-APPROVED VENDORS ONLY
Razorpay (payments · India)
Resend (transactional email)
Groq API (AI inference · US)
Gemini API (fallback · US)
AI INFERENCE NOTE
Groq/Gemini receive only fraud analysis queries — no PII, no user credentials, no payment data. Query text is anonymised before sending.
DB ISOLATION
Database is not publicly accessible. Only the Railway server has DB credentials via environment variables. No DB port exposed externally.
SECRET MANAGEMENT
All secrets (API keys, DB URL, JWT secret) in Railway environment variables. Never in code. Repo is private on GitHub.
API Security

Security controls on every request.

Every API call goes through multiple layers of security before touching the database. Here's exactly what happens.

🔑
API Key Authentication
All enterprise API calls require a signed API key (`X-API-Key` header). Keys are hashed before storage. Rotate keys instantly from your dashboard. Keys are scoped to your account — no shared credentials.
🚦
Rate Limiting — Per Route + Global
300 requests per 15 minutes globally. Auth endpoints: 20 req/15min. Sensitive endpoints: 5 req/15min. Exceeding limits returns 429 with Retry-After header. Prevents brute force and enumeration attacks.
🛡️
JWT Tokens — Signed + Time-Limited
All session tokens signed with HS256. Tokens expire automatically. JWT secret rotated on any compromise. No long-lived tokens issued. Tokens validated on every authenticated request.
🧹
Input Sanitisation on All Endpoints
All user input sanitised before processing. Parameterised queries prevent SQL injection throughout. XSS vectors stripped. Request body size limits enforced. Content-Security-Policy headers on all responses.
🔒
HTTPS Enforced · HSTS Active
All HTTP connections redirect to HTTPS. TLS 1.3 minimum. HSTS header enforced. Insecure cipher suites disabled. Certificate managed by Railway with auto-renewal. No mixed content.
📋
Full Audit Trail on All Actions
Every API call, login, fraud report, and payment logged with timestamp, IP, and user ID. Logs retained 180 days per CERT-In mandate. Admin-only log access. Tamper-evident logging via PostgreSQL append-only pattern.
SECURE API REQUEST
// Every enterprise API request GET /v1/check-entity?q=suspect@upi X-API-Key: fi_live_xxxxxxxxxxxxxxxxxx Content-Type: application/json // Security headers on every response Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: DENY Content-Security-Policy: default-src 'self' X-XSS-Protection: 1; mode=block // Rate limit headers returned X-RateLimit-Limit: 300 X-RateLimit-Remaining: 299 X-RateLimit-Reset: 1714204800 // Response — 187ms avg { "risk": "HIGH", "score": 0.91, "recommendation": "BLOCK", "audit_id": "fi_log_xxxxxxxx" }
Every response includes an audit_id you can use to query your usage logs.
No PII is logged in our system — only the query entity and risk result.
Webhook signatures verified via HMAC-SHA256 (Razorpay payments).
Third-Party Vendor Security

Every vendor we use. Exactly what they see.

Banks need to assess our vendor chain as part of third-party risk management. Here it is in full — no vendor has access to more data than required for their specific function.

Railway.app
APPLICATION HOSTING · SINGAPORE
Hosts the Node.js/Express server and all application code
Region: AWS ap-southeast-1 (Singapore) — India-proximate
Env vars stored encrypted — never in code or logs
Auto-deploy from private GitHub repo only
No Railway employee has access to your query data
Neon (PostgreSQL)
DATABASE · AWS ap-southeast-1
Stores: fraud reports, entity DB, user accounts (bcrypt hashed), payments audit
Connection pooling — no direct DB port exposed publicly
Automatic daily backups · point-in-time recovery
SSL-only connections · TLS 1.3 in transit
SOC 2 Type II certified infrastructure
Razorpay
PAYMENTS · INDIA · RBI LICENSED
PCI-DSS Level 1 certified payment processor
RBI-licensed Payment Aggregator
FraudIntel never sees full card numbers — Razorpay handles all card data
Webhook signatures verified via HMAC-SHA256
Indian company — DPDP Act applicable
Resend
TRANSACTIONAL EMAIL
Sends only: account verification, password reset, billing alerts, API alerts
Receives: recipient email address + email content only
No fraud query data or user PII beyond email address shared
SPF + DKIM configured on fraudintel.in domain
Groq / Gemini API
AI INFERENCE · US-HOSTED
Used for: fraud text analysis and agent task generation only
Receives: anonymised fraud query text — no user PII, no account data, no payment data
Queries do not include: names, Aadhaar numbers, account numbers, or contact details
Data retention: zero-day policy requested on all inference calls
Fallback: if Groq unavailable, rule-based detection activates automatically
CallMeBot (WhatsApp)
ALERTING · OPTIONAL
Used only for admin fraud alert notifications — opt-in
Receives: alert text only — no user data, no payment data
Admin phone number stored only in Railway env vars
Can be disabled by removing CALLMEBOT_PHONE env var
Incident Response

What happens when something goes wrong.

CERT-In Directions 2022 mandate specific timelines. We exceed them. Here is the exact playbook triggered on any security incident.

⚠ CERT-In 6-HOUR MANDATORY REPORTING — WE COMPLY
Under CERT-In Directions (April 2022), cybersecurity incidents must be reported to CERT-In within 6 hours of detection. FraudIntel India's Security Officer (Jeh Makwana) is responsible for this reporting. Report portal: cert-in.org.in
01
T+0 — DETECTION
Incident Identified
Automated monitoring detects anomaly, or internal/external report received. Security Officer (CEO) immediately notified. Incident triage begins. Severity classified: Critical / High / Medium / Low.
02
T+1 HOUR — CONTAINMENT
Immediate Containment
Affected systems isolated. API rate limits tightened. Suspicious accounts suspended. Railway service paused if necessary. DB access reviewed. No deletion of evidence — preservation priority.
03
T+6 HOURS — CERT-In MANDATORY
CERT-In Notification Filed
Mandatory incident report filed at cert-in.org.in within 6 hours of detection as required. Report includes: nature of incident, affected systems, preliminary impact assessment, actions taken.
04
T+12 HOURS — USER NOTIFICATION
Affected Users Notified
If any user data was potentially accessed, affected users notified directly by email within 12 hours. Clear explanation of what was accessed, what was not, and what we've done. No vague language.
05
T+72 HOURS — RESOLUTION
Full Incident Report Published
Complete post-mortem published on this page. Root cause, timeline, impact scope, remediation steps taken, and measures implemented to prevent recurrence. No security-through-obscurity.
Regulatory Alignment Detail

Mapped to Indian financial regulations.

For your risk and compliance team. Exact mapping of FraudIntel's controls to each applicable Indian regulation.

CERT-IN DIRECTIONS 2022
Cybersecurity Incident Reporting
Security Officer designated: Jeh Makwana (CEO) — contact@fraudintel.in
6-hour reporting: Incidents reported to CERT-In within mandated window
180-day log retention: All system logs maintained as required
NTP synchronisation: Server time synced to authoritative time servers
Incident reporting portal: cert-in.org.in registered and accessible
DPDP ACT 2023
Digital Personal Data Protection
Grievance Officer: Jeh Makwana — grievance@fraudintel.in — 15 business day resolution
Consent-based collection: Data collected only with explicit user consent
Right to erasure: /data-deletion endpoint active and processed within 30 days
Data minimisation: Only fraud-relevant data collected — no unnecessary PII
~Data Fiduciary registration: Pending DPDP Rules notification by GoI
IT ACT 2000 + IT RULES 2021
Information Technology Compliance
Section 43A: Reasonable security practices implemented for sensitive personal data
SPDI Rules 2011: Sensitive personal data (passwords) protected under required standards
Grievance Officer (Rule 3(11)): Designated, contact published, 15-day resolution
Privacy Policy published: Accessible at fraudintel.in/privacy
Terms of Service published: fraudintel.in/terms
RBI CYBER SECURITY FRAMEWORK
For Banks & NBFCs (Third-Party Vendor)
Data localisation: All processing in India-region infrastructure
Encryption in transit: TLS 1.3 on all connections
Encryption at rest: Database encryption via Neon PostgreSQL
Access controls: Role-based access, JWT auth, API key scoping
Vendor risk questionnaire: Available on request for bank procurement teams
Responsible Disclosure

Found a vulnerability?
We want to know.

We take security reports seriously and commit to responding within 48 hours. We will not take legal action against researchers who responsibly disclose vulnerabilities.

SECURITY CONTACT
security@fraudintel.in
PGP key available on request · 48-hour acknowledgement · We don't ghost researchers
01
Email security@fraudintel.in
Include: description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept. Encrypted reports preferred.
02
We acknowledge within 48 hours
You'll receive a confirmation email with a reference number. We'll tell you our assessment timeline and keep you updated throughout.
03
We fix and notify you
Critical vulnerabilities patched within 72 hours. You'll be notified when the fix is deployed. We'll credit you in our security acknowledgements unless you prefer anonymity.
04
Public disclosure coordination
We coordinate disclosure timing with you. Our standard window is 90 days from report to public disclosure, or sooner once patched and users protected.
IN SCOPE
fraudintel.in and all subdomains
REST API endpoints (/v1/*, /auth/*, /check-entity)
Authentication bypass or privilege escalation
SQL injection, XSS, CSRF vulnerabilities
Sensitive data exposure or PII leakage
Payment flow vulnerabilities
Rate limiting bypass
OUT OF SCOPE
Social engineering attacks against our team
Physical security attacks
Denial of service attacks
Automated scanning without prior permission
Testing on other users' accounts without consent
Third-party services (Railway, Neon, Razorpay)
We do not currently offer monetary rewards. We offer: public acknowledgement (if desired), responsible disclosure partnership, and our sincere gratitude. Good faith researchers will not face legal action.
Common Questions

What banks and NBFCs ask us.

Does FraudIntel store the entities we query through the API? +
Query logs are retained for 180 days as required by CERT-In Directions 2022, associated with your API key — not with any individual user. We log: timestamp, queried entity (anonymised hash), risk result, and your API key ID. We do not log: your customers' names, account numbers, or any PII beyond the query string itself. You can request full deletion of your query history by contacting security@fraudintel.in.
Is FraudIntel compliant with RBI's requirement for vendor risk assessment? +
Yes. We provide a completed Vendor Risk Questionnaire (VRQ) on request, aligned to the standard format used by most Indian scheduled commercial banks and RBI-regulated NBFCs. This covers: data handling, security controls, incident response, business continuity, and sub-processor chain. Email enterprise@fraudintel.in to request the VRQ document.
Where exactly is our data processed and stored? +
All application processing happens on Railway (AWS ap-southeast-1, Singapore). All data is stored in Neon PostgreSQL (also AWS ap-southeast-1, Singapore). No data is stored in or transmitted to US or EU servers during normal operation. The only exception: AI inference queries (fraud text analysis) are sent to Groq/Gemini in anonymised form — no PII, no user account data. This is disclosed in our privacy policy and can be disabled for enterprise accounts on request.
Can we get a penetration test report? +
A formal external penetration test is scheduled for Q3 2026. We will share the executive summary with enterprise clients under NDA once available. In the interim, we provide: our internal security architecture documentation, code review reports, and our current security controls matrix. We are transparent about what we have and what we are working toward — we don't claim certifications we don't have.
How do you handle a data breach involving our customers' data? +
Immediately: containment and isolation. Within 6 hours: CERT-In notification (mandatory). Within 12 hours: direct notification to affected enterprise API clients. Within 72 hours: full incident report published. We will provide you with: the nature of data accessed, the scope of affected records, actions taken, and remediation steps. We will also assist you in preparing any notifications to your own regulators (RBI, SEBI, IRDAI) as required by their circulars.
Is FraudIntel ISO 27001 certified? +
Not currently. ISO 27001 certification is on our roadmap for 2027 as we scale operations. We are honest about this. What we do have: CERT-In compliance, DPDP Act alignment, RBI framework alignment, bcrypt password hashing, TLS 1.3, rate limiting, JWT authentication, input sanitisation, and 180-day audit logs. We are a lean team building toward enterprise certification — we don't claim certifications we haven't earned yet.
How do we get access to your security documentation for our vendor onboarding? +
Email enterprise@fraudintel.in with subject line "Vendor Security Documentation Request". We will provide: completed VRQ, security architecture overview, data flow diagram, CERT-In compliance certificate, and our standard DPA (Data Processing Agreement). Most documentation can be shared within 48 hours. NDA execution available before sharing non-public technical details.
Security Contacts

Who to call when it matters.

🛡️
CERT-IN SECURITY OFFICER & GRIEVANCE OFFICER
Jeh Makwana
Chief Executive Officer, FraudIntel India
Ahmedabad, Gujarat — 380001
security@fraudintel.in
grievance@fraudintel.in
Security incidents: 6hr · Grievances: 15 business days
🏦
ENTERPRISE & BANK PROCUREMENT
Enterprise Team
Vendor risk questionnaires, DPA execution, security briefings, NDA
enterprise@fraudintel.in
Schedule a security briefing →
Response within 48 hours
🔬
VULNERABILITY DISCLOSURE
Security Research
Responsible disclosure, bug reports, penetration testing requests
security@fraudintel.in
PGP key available on request
Acknowledgement within 48 hours · No legal action against good-faith researchers