Security & compliance

Your client data, treated like your firm's reputation.

Indian firms handle sensitive financial and personal data on every engagement. FirmEFlow is built to the standard the profession deserves.

India data residency

All customer data lives in AWS Mumbai (ap-south-1). No data leaves India for storage or routine processing. DPDP Act 2023 compliant.

AES-256 + TLS 1.3

Encryption at rest (AES-256) and in transit (TLS 1.3). Customer-managed keys available for Enterprise.

Daily backups

Automated daily backups with 30-day point-in-time recovery. Geographically replicated within India.

Role-based access control

Granular roles for partners, staff, and external clients. Per-engagement and per-document permission overrides.

Audit trail forever

Every user action — login, view, edit, share, download — logged immutably. Required for ICAI / SEBI audits.

Single-session enforcement

Each user is signed in to one browser session at a time — signing in elsewhere logs out the previous session. Reduces credential-sharing and stale sessions.

DPDP Act 2023

Indian Digital Personal Data Protection Act compliant: consent management, data principal rights, breach notification.

SOC 2 + ISO 27001

SOC 2 Type 1 audit in progress. ISO 27001 controls implemented. Reports available to Enterprise customers under NDA.

GDPR ready

For firms serving overseas clients: subject access requests, right to erasure, EU data processing addendum on request.

Vulnerability disclosure

Reach our security team at security@firmeflow.com. We respond within 24 hours and credit responsible reporters.

Encrypted credential vault

DSC passwords, Income Tax / GST / MCA portal logins encrypted at rest with per-tenant keys. Visible only to authorised firm staff.

Penetration testing

Annual third-party penetration testing. Critical findings remediated within 30 days; reports shared with Enterprise customers.

DPA + sub-processors

Standard Data Processing Agreement available. Up-to-date sub-processor list maintained at /legal/sub-processors.

Security contacts

Report a vulnerability, request a DPA, or ask about our security program:

Vulnerability disclosure: security@firmeflow.com
Privacy & DPA: privacy@firmeflow.com
General security questions: Contact sales