Compliance work means we hold PAN, Aadhaar, GST credentials and signed certificates for thousands of businesses. The standards below are how we make that defensible.
The four pillars
What independent auditors check — and what we publish ourselves
ISO/IEC 27001:2022 certified
Audited annually by a UKAS-accredited body. Statement of Applicability covers customer data, government-portal credentials, signed-document storage, and our internal SDLC.
India DPDP Act, 2023 compliant
Lawful basis declared for every processing purpose. Consent receipts stored. DPO appointed and contactable at dpo@filinglab.com. Cross-border transfer assessment completed for our payment and email vendors.
Quarterly third-party VAPT
External penetration tests every quarter against the customer dashboard, admin console, and government-filing connectors. Critical and high findings fixed within 7 days; report summary available under NDA.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit, customer documents stored in encrypted object storage with envelope encryption keys rotated every 90 days. Database backups encrypted with separate KMS keys.
Your data stays in India. Always.
Customer KYC, signed certificates, government-portal credentials and audit logs are processed and stored in CERT-In compliant Indian data centres. No replication, no analytics export, no backup outside the country.
Primary region
Mumbai (BOM-1)
DR region
Hyderabad (HYD-1)
Cross-border data
None — India-only
Backup retention
35 days, encrypted
Controls in detail
The boring details auditors actually look for
Access control
SSO / MFA mandatory for all CAs and staff (Google Workspace + WebAuthn)
Role-based access — view, edit, file scoped per service line
Just-in-time elevation for production data, audit-logged
Quarterly access review — over-permissioned roles auto-flagged
Data handling
Customer KYC stored in CERT-In compliant data centres in Mumbai
No data resold or shared with third parties for marketing
Right to download, correct or delete on request — 30-day SLA
Document retention follows MCA / Income-tax statutory minimums
Government portal credentials
GSTN / MCA / Income-tax credentials stored encrypted, never displayed in plaintext
Filing actions are logged with operator, timestamp and source IP
DSC tokens never leave the staff endpoint — remote signing not used for sensitive forms
Customers can revoke any portal access from the dashboard
Operations
Production change management with peer review and rollback plan
24×7 monitoring — failed-login alerting, anomaly detection on filing volume
Incident response runbook tested twice a year — named on-call rota
Annual disaster-recovery drill — RTO 4h, RPO 1h on customer data
Found something? We pay.
Found a vulnerability? Email security@filinglab.com with steps to reproduce. We acknowledge within 24 hours and award up to ₹2,00,000 for high-severity issues. Out-of-scope and rules-of-engagement in our security.txt.
ISO 27001:2022
DPDP-compliant
CERT-In aligned
India-only data