Issued by the RBI, DPSC defines key security standards for digital payments—ensuring strong governance, risk management, authentication, fraud prevention, and customer protection across all payment channels.

Certificate Copy

[FINAL] TUCIBIL_SU_One Stack Solutions Private Limited _CRA_9th April 2025_v1.0 .pdf

The PCI DSS (Payment Card Industry Data Security Standard ) is a proprietary information security standard administered by the PCI Security Standards Council. We follow PCI DSS standards to implement industry-approved security controls, ensuring all customer card data is protected with the highest level of security.

As an ISO 27001:2022 certified company, we follow industry-best practices and robust security controls to ensure comprehensive information security across all operations.

S1 ONE STACK SOLUTION PRIVATE LIMITED 27001.pdf

ISO 27701:2019 is an international standard that provides guidelines for establishing, implementing, maintaining, and continually improving the PIMS (Privacy Information Management System).

We are ISO 27701:2019 certified, following global best practices to manage and protect personal data through a robust Privacy Information Management System (PIMS).

2024 S2--ONE STACK SOLUTION PRIVATE LIMITED 27001 S2 (1).pdf

S1 ONE STACK SOLUTION PRIVATE LIMITED 9001.pdf

2024 S2--ONE STACK SOLUTION PRIVATE LIMITED 9001 S2.pdf

AWS ISO IEC 20000-1_2018

SOC 2 Type II evaluates our systems against AICPA’s Trust Services Criteria, ensuring robust security, availability, processing integrity, confidentiality, and privacy of customer data.

Certificate Copy

We are fully compliant with CICRA ( Credit Information Companies Regulation Act), 2005, maintaining a secure IT infrastructure to protect credit-related data, with systems audited and approved by a certified CISA professional.

E_Con_Onestack_CIC_IS Audit_Report_SG_v1.0.pdf

The CISA SDK ensures secure, reliable communication between client and server, with confidentiality, integrity, and authenticity validated through an independent secure code review.

All non-financial transactions like balance checks and transaction history are secured with 1FA, accessible via Biometric + Token, Password + Token, or EOTP/TOTP + Token authentication.

Full Trust: All financial transactions like fund transfers and MPIN changes use MFA with SIM Binding (1st factor) + MPIN (2nd factor).

Semi Trust: Sensitive non-financial actions, such as benefit updates and consent management, use MFA with SIM Binding (1st factor) + TOTP/EOTP (2nd factor).

Our mobile app communicates with the backend using ECC encryption with forward secrecy, validating device certificates, checking for VPNs, proxies, rooted devices, and public Wi-Fi to prevent MITM attacks. Time-based MFA codes are synchronized within ±60 seconds to ensure secure authentication.

We secure communication with partner servers via IP whitelisting, public key pinning, and TLS 1.2/1.3 with RSA 4096-bit encryption. Our PCI-DSS v4.0, SOC 2 Type II, ISO 27001:2022, DPSC, and Cert-In certifications ensure industry-leading security for all server and customer data.

We follow the SSDLC methodology, integrating security at every stage of software development to minimize vulnerabilities and protect against cyberattacks.

We use modern, secure open-source frameworks with built-in controls to guard against OWASP Top 10 risks, including SQL Injection, XSS, and CSRF, minimizing system vulnerabilities.

All changes undergo comprehensive QA, including code reviews, vulnerability assessments, and advanced security tests, along with functionality, performance, stability, and UX checks before release.

We conduct annual secure coding training for all developers based on OWASP Top 10 risks, with updates and refresher sessions whenever new security requirements are introduced.

We strictly separate testing, staging, and production environments, ensuring no service data is used during development, safeguarding data integrity and platform security.

We use third-party tools to continuously scan our applications for OWASP Top 10 risks, supported by an in-house security team that collaborates with engineering to promptly resolve any issues.

We regularly scan all libraries and dependencies for vulnerabilities, with our security team promptly addressing issues to maintain a secure and reliable platform for customers.

We ensure platform security through internal testing and third-party penetration tests, proactively identifying and addressing vulnerabilities to deliver a safe and reliable financial experience.

We prioritize customer data protection and welcome security researchers to responsibly disclose vulnerabilities, helping us maintain a secure and private platform for all users.

Your financial data stays protected — stored securely within India under RBI’s data localisation laws. Designed to meet the highest standards of privacy, compliance, and trust.

Our data centers feature multi-layered on-site security with biometric access, 24×7 surveillance, and restricted entry zones. Every physical layer is built to protect critical systems and uphold the highest standards of compliance.

Application data is stored on replicated, resilient storage across primary and secondary data centers, ensuring seamless operations with minimal downtime in case of failure, supported by multiple ISPs.

Our QA team and application security engineers proactively review, test, and address vulnerabilities, ensuring top-quality, secure code and maintaining customer trust in our platform.

We use service clustering, network redundancies, and robust backups to eliminate single points of failure, ensuring high availability with data replicated across multiple zones.

We provide a public system-status page with real-time updates on availability, maintenance, incidents, and security events, keeping customers informed and ensuring a reliable banking experience.

We ensure no human, including our engineers, can access customer data at rest, which is secured with 256-bit AES or RSA encryption, remaining protected even if access controls are compromised.

All customer data transmitted over public networks is protected using TLS 1.2/1.3 with strong ciphers, ensuring secure web, API, app, and email communications. Internal traffic uses TLS 1.3 with AES-128 and ECC-P256, while emails leverage opportunistic TLS to prevent eavesdropping.

Our architecture ensures high availability with multiple security zones, placing sensitive systems in the most trusted zones and using DMZs to securely manage traffic between the Internet and internal systems.

We use trusted technologies to mitigate DDoS attacks, filtering malicious traffic while allowing legitimate access, ensuring our websites and applications remain highly available and performant.

Our Security Team safeguards information, ensures compliance, monitors threats, and responds promptly to incidents, while assessing vendors and continuously enhancing our cybersecurity posture.

Our intrusion detection system monitors host- and network-based signals, logging administrative actions and system calls, while FortiGate firewalls enforce whitelist and blacklist rules to detect and prevent potential security incidents.

Access to our Production Network is restricted on a need-to-know basis, follows least privilege principles, is regularly audited, and requires multi-factor authentication for all authorized employees.

We perform regular network security scans to identify vulnerabilities and misconfigurations in servers, routers, firewalls, and connected devices, proactively enhancing resilience and reducing the risk of breaches and unauthorized access.

We implement layered network defenses using firewalls, regularly monitoring access and reviewing all changes to ensure robust protection against unauthorized access and harmful traffic.

Our SIEM system collects and analyzes logs from critical devices, alerting the Security Team of potential threats. Guided by our Incident Management Policy, we detect, assess, and respond to incidents with defined roles, severity levels, and clear escalation protocols

System alerts are escalated to our round-the-clock Operations, Network, and Security teams, with trained employees ready to handle incidents promptly and effectively.

Each year, external security experts conduct comprehensive penetration tests on our Production and Corporate Networks, complementing our ongoing internal scanning and testing efforts.

We actively participate in threat intelligence programs, monitoring shared threats and taking corrective actions based on identified risks.

We assess and monitor all vendors with system or data access, enforcing security requirements, audits, access controls, and incident response plans to minimize risks and strengthen our cybersecurity.

We ensure smooth and secure server operations through performance monitoring, security management, backups, patching, user access control, capacity planning, troubleshooting, documentation, and compliance auditing.

We use role-based access, assigning permissions based on job functions to ensure users can access only the resources needed, simplifying management and enhancing data protection.

Access to our physical servers is restricted to authorized personnel with security checks and controlled zones. Servers are carefully configured with appropriate hardware, OS, network settings, applications, security measures, backups, and server hardening to ensure safe, reliable, and secure operations.

Network configurations are established for seamless connectivity. Software applications, such as web servers and databases, are installed based on the servers purpose. Security measures, like firewalls and access controls, are implemented to protect against threats. Regular data backups are configured for data safety.

We protect sensitive data through robust server management and advanced security measures, including firewalls, encryption, access controls, DPTM2.0, Secure Boot, FDE, TOTP-based 2FA, logging, and comprehensive incident response and recovery.

All physical hardware is owned by us, with strict procedures for secure delivery, vendor access, maintenance, and key protection, ensuring encryption keys are safeguarded and removed before any device leaves our facility.

We conduct rigorous background checks on prospective employees, including education, employment history, and criminal records, ensuring a trustworthy team committed to integrity and organizational success.

All new hires are required to sign Non-Disclosure and Confidentiality agreements.

We ensure secure onboarding and offboarding with background checks, security training, least-privilege access, 2FA, and secure device distribution. On exit, access is revoked, data is secured, and company property is returned, safeguarding sensitive information.

We uphold strict legal and regulatory compliance through comprehensive policies and a strong code of ethics, promoting integrity, honesty, and fairness to build trust with customers and regulators.

We provide comprehensive POSH training to promote awareness, prevention, and response to sexual harassment, fostering a respectful, inclusive, and safe workplace where employees can thrive.

We provide comprehensive training on company policies—including data security, anti-discrimination, and code of conduct—to ensure employees understand and adhere to ethical standards and regulatory compliance in their daily work.

We maintain detailed audit logs of employee activities to enhance security, ensure regulatory compliance, and promote accountability and ethical behaviour.

We track devices used to access user accounts and notify users when a new device is added, helping them identify and respond to any suspicious activity.

We use DKIM and DMARC to sign outbound emails, preventing email spoofing and ensuring secure, trusted communication.

We provide free TLS encryption for host-mapped Guide help centers, using ECC Organization Validation certificates that are automatically renewed to ensure continuous secure access.

Users can restrict support access to specific IP addresses, enhancing security, while subscribers have flexible access for seamless service, ensuring a safe and trusted support environment.

Banking application allows ATM PIN/MPIN resets through 1FA instead of MFA which makes it comparatively easier to hack. Guidelines are followed by modules owners to ensure the security and application flow in terms of authentication and security.While ATM PIN/MPIN resets use 1FA for convenience, module owners follow strict guidelines to ensure secure application flow and maintain strong authentication standards.

Customer data is securely deleted according to contractual agreements or, if none exist, via automated or manual scripts that perform a full hard delete from our platforms.

We implement RBAC to grant team members access based on job responsibilities and least privilege principles, with timely updates for role changes. Partner data is segmented by sensitivity, ensuring individuals access only the information necessary for their tasks.

Data Segmentation: We ensure that each individual's access is limited to the specific data segments they need to perform their tasks, and they are restricted from accessing data outside their designated area.

We use access and refresh tokens with session timeouts to manage user sessions securely, minimizing the risk of session hijacking.

We use Azure AD for secure single sign-on (SSO) and multi-factor authentication (MFA), combining knowledge, inherence, and possession factors—such as SIM binding, EOTP/TOTP, biometrics, and Face ID. All financial services require MFA with a knowledge factor for access.

We use 2FA via SMS or authenticator apps, requiring two authentication factors to access accounts, enhancing security and protecting sensitive financial information from unauthorized access.

Our products support low, medium, and high password security levels with customizable rules, applied to end users, while only admins can modify these security settings.

A security feature in mobile apps that detects if a device is rooted or jailbroken, helping prevent potential security risks and unauthorized access.

We store passwords using salted, one-way hashes, ensuring confidentiality and protecting against unauthorized access or password extraction.

We detect and block access to the application from VPN connections, ensuring users can only access the app through secure, approved networks.

If debugger settings are enabled on an Android device, the app runs in Secure Mode, protecting against tampering and other unauthorized attacks.

Using location-based trusted zones, the app runs in Secure Mode when outside designated areas, protecting against unauthorized attacks such as injection.

We encrypt sensitive data using RSA-2048 or ECC-256 and apply code obfuscation to secure the app and prevent unauthorized access or reverse engineering.

When accessed over public or unprotected networks, the app runs in Secure Mode, protecting against threats like shoulder peeking and other unauthorized attacks.

We use an inbuilt CISA Secure Keyboard to protect sensitive user information, such as passwords and MPIN, ensuring privacy and security during input.

We offer advanced access and encryption controls, ensuring customer and partner data is used solely for service delivery, maintenance, improvement, or as required by law.

We comply with RBI data localization requirements, ensuring all customer data is securely stored exclusively in India.

Certificates

Each product includes tools to manage user requests under privacy laws, enabling data access, correction, portability, deletion, and objection, ensuring compliance and user control over personal data.

Our Code of Conduct sets clear ethical standards and guidelines for employees, promoting integrity, honesty, and compliance with laws in all business activities.

This policy explains how we collect, use, store, share, and disclose data, ensuring that personal information is never sold or shared with third parties for marketing without explicit consent.

Privacy Policy Links

Detailed information about how and when we use cookies on our websites.

Cookie Policy Links

We handle personal data with explicit consent, using it only for legitimate purposes and sharing with trusted third parties as needed, protected by strong security measures. We also provide secure channels for researchers to report vulnerabilities, helping us promptly strengthen service security.

Responsible Disclosure Policy Link