Security & Compliance

Security & Compliance

This section covers the comprehensive security and compliance framework for the Wealthy platform, including policies, procedures, and regulatory requirements.

Overview

The Wealthy platform implements a multi-layered security approach covering:

• Security Policies - Organization-wide and platform-specific security procedures
• Authentication & Authorization - User access control and API security
• Data Protection - PII handling, encryption, and privacy controls
• Security Assessment - Vulnerability management and security testing
• Anti-Fraud Measures - Fraud detection and prevention systems
• Regulatory Compliance - Industry standards and statutory requirements

Security Framework

Our security framework is built on industry best practices and regulatory requirements:

Core Principles

• Zero Trust Architecture - Never trust, always verify
• Defense in Depth - Multiple layers of security controls
• Least Privilege Access - Minimum required permissions
• Continuous Monitoring - Real-time security assessment
• Incident Response - Rapid detection and response capabilities

Compliance Standards

• SEBI Guidelines - Securities and Exchange Board of India regulations
• NSE Guidelines - National Stock Exchange regulations

Quick Navigation

• Authentication - User authentication and access control
• CERT-In Compliance - Point of contact and incident reporting procedures

Security Policy Documents

Our comprehensive security framework is documented through formal policies organized by domain:

General Security Policies

• Acceptable Use Policy
• Clean Desk Policy
• Cyber Security and Cyber Resilience Policy
• Data Breach Response Policy
• Disaster Recovery Policy
• Password Construction Guidelines
• Password Protection Policy

Network Security Policies

• Remote Access Policy
• Wireless Communication Policy

Server Security Policies

• Database Credentials Coding Policy
• Information Logging Standard
• Server Security Policy
• Technology Equipment Disposal Policy

Web Application Security Policies

• Web Application Security Policy

Circulars & Audit Documents

📁 Security Circulars & Audit Reports

This Google Drive folder contains all regulatory circulars, security audit reports, ISNP audit documentation, and related compliance documents including:

• Regulatory Circulars - Latest SEBI, RBI, and other regulatory circulars
• Security Audit Reports - External security assessment and VAPT reports
• ISNP Audit Documentation - Indian Software Products Industry Round Table audit materials
• Compliance Reports - Regulatory compliance and assessment reports
• Internal Audit Reports - Internal security and compliance audit findings
• Remediation Documentation - Action plans and remediation status reports

Encryption and Hashing Implementation

Password and PIN Security

• Hashing Implementation: All user passwords and PINs are hashed using industry-standard algorithms
• No Plain Text Storage: Passwords and PINs are never stored directly in the database
• Salt Implementation: Unique salts used for each password/PIN to prevent rainbow table attacks
• Hash Verification: Authentication performed by comparing hashed values

Communication Encryption

Internal Service Communication

• VPC Network Encryption: All internal services communicate within encrypted VPC network
• Network Isolation: VPC provides network-level isolation and encryption for internal traffic

External Traffic Encryption

• SSL/TLS: All external traffic encrypted using SSL/TLS protocols
• HTTPS Enforcement: All web and API traffic requires HTTPS
• Certificate Management: Cloudflare SSL certificates managed and automatically renewed.
• End-to-End Encryption: External communication encrypted from client to server

Secret and Key Management

• AWS Secrets Manager Integration: All sensitive keys and secrets encrypted in AWS Secrets Manager
• Runtime Key Retrieval: Keys pulled securely during pod initialization
• No Hardcoded Secrets: No secrets or keys stored in code or configuration files
• Key Rotation: Key rotation as per need

Data Encryption

• Database Encryption: All database data encrypted at rest
• File Storage Encryption: All stored files and documents encrypted in S3

Encryption Standards

• AES-256: Industry-standard encryption for data at rest
• RSA: Public key cryptography for key exchange and digital signatures
• TLS 1.3: Latest TLS standard for transport encryption
• SHA-256: Secure hashing algorithm for password and data integrity

Data Protection

The Wealthy platform implements comprehensive data protection measures to ensure the confidentiality, integrity, and availability of customer and business data. Our data protection framework includes data classification (Public, Internal, Confidential, Restricted), with PII handling procedures for customer identity information, contact details, financial data, and transaction records. All sensitive data is encrypted at rest using AES-256 encryption. Data subject rights are supported including right to access, rectification, and data portability. Right to erasure is implemented with regulatory compliance requirements - users can delete their profile, but data is retained for 6 months as per regulatory obligations.

VAPT

Yearly external VAPT (Vulnerability Assessment and Penetration Testing) is conducted by certified third-party providers following comprehensive methodologies including OWASP, NIST, and PTES frameworks. All security assessments are documented with detailed remediation plans and progress tracking.

VAPT Reports & Documentation

📁 VAPT Assessment Reports

This Google Drive folder contains all VAPT reports, vulnerability assessments, penetration testing results, and remediation documentation from certified security providers.

Anti-Fraud Measures

The platform implements a comprehensive multi-layer fraud detection and prevention system covering authentication controls, transaction security, and technical protection measures.

Anti-Rogue Controls

Authentication Security

• OTP Rate Limiting: Strict controls on number of OTPs to prevent abuse and automated attacks
• 2FA at Critical Operations: Multi-factor authentication required for all sensitive operations and transactions
• Transaction Authentication: Additional OTP/PIN verification for specific transactions (SIP, Mandate, etc.) based on use case
• Device Binding: Trusted device registration and biometric authentication for mobile subsequent access

Transaction Controls

• KYC Gating: All transactions allowed only post-KYC verification to ensure legitimate users only
• Real-time Position Monitoring: Continuous monitoring of trading positions and activities
• Automated Trading Limits: Enforcement of pre-defined trading limits with immediate alerts
• Kill Switches: Immediate halt capabilities for suspicious or unauthorized trading activities

Behavioral Analytics

–This not yet implemented but planned–

• AI/ML Models: Machine learning algorithms for pattern recognition and anomaly detection (planned implementation)
• Velocity Checks: Rule-based systems monitoring transaction frequency and amounts
• Geographic Anomaly Detection: Location-based fraud detection and blocking
• Device Intelligence: Analysis of device fingerprinting and behavior patterns

Anti-Defacement Protection

Gateway Security

• Cloudflare DDoS Protection: Enterprise-grade DDoS protection and traffic filtering
• Bot Detection and Mitigation: Automated detection and blocking of malicious bots
• AI Scraper Protection: Advanced protection against automated scraping attempts
• Request Validation: Initial security checks and request filtering at edge

Access Controls

• Rate Limiting: API and gateway-level rate limiting based on user type and endpoint
• Geo-blocking: Geographic access restrictions for sensitive operations
• IP Whitelisting: Restricted access from approved IP addresses for specific services
• CORS Policy: Cross-origin request restrictions and validation

Monitoring and Response

Fraud Monitoring

• Real-time Alerts: Immediate notifications for suspicious activities via Slack integration
• Investigation Process: Comprehensive fraud incident investigation and recovery procedures
• Escalation Matrix: Defined escalation paths to security operations team and CTO

Regulatory Compliance

Wealthy operates under SEBI (Securities and Exchange Board of India) and NSE (National Stock Exchange) guidelines and regulations. Our compliance framework includes Investment Adviser Registration, adherence to SEBI’s code of conduct, comprehensive disclosure requirements for material information and conflicts of interest, and implementation of investor protection measures. We maintain AMFI (Association of Mutual Funds in India) registration for mutual fund operations with NISM-certified personnel. Compliance monitoring includes automated compliance checking, real-time alerting for violations, regular internal audits, and comprehensive regulatory reporting. We conduct quarterly compliance reviews, maintain detailed audit trails for all activities, and ensure staff training on all relevant regulations and compliance requirements.

Security Contact

For security-related inquiries or to report security issues:

• Security Team: security@wealthy.in (actively monitored)

For CERT-In compliance and incident reporting, see CERT-In Compliance