Security at FlashBooks

FlashBooks handles sensitive financial data — GST invoices, payment records, customer information, and bank details. We treat the security of this data as our most critical responsibility. Our security practices are designed to meet and exceed the requirements of Indian data protection regulations.

Encryption at Rest

All data stored in our databases is encrypted using AES-256 encryption, the same standard used by banks and financial institutions. This includes your invoices, contact details, payment records, and financial reports.

Encryption in Transit

Every connection between your browser and FlashBooks servers is encrypted using TLS 1.3. All API calls, file uploads, and data transfers are secured end-to-end.

Encryption Key Management

Encryption keys are managed through secure key management services with automatic rotation. Keys are never stored alongside the data they protect.

All FlashBooks data is stored exclusively in Indian data centres. Your invoices, customer data, financial records, and account information never leave Indian soil. This ensures compliance with data localisation expectations under Indian law and gives you confidence that your data is subject to Indian jurisdiction.

• Passwordless Authentication: FlashBooks uses OTP-based authentication via email and SMS. No passwords are stored in our systems, eliminating the risk of password theft, brute-force attacks, and credential stuffing.
• Google OAuth: Secure sign-in via Google OAuth as an alternative authentication method, leveraging Google's enterprise-grade security infrastructure.
• Session Management: Sessions automatically expire after seven (7) days. Each session is tied to a unique token that cannot be reused or transferred.
• Role-Based Access Control (RBAC): Within each organisation, access is controlled through three defined roles — Owner, Admin, and User — with specific permission boundaries. Owners control who can access their financial data.

Each organisation's data is logically isolated at the database level. Users with access to multiple organisations can switch between them, but data cannot be merged or accessed across organisation boundaries. Team members only see the data they are authorised to access based on their assigned role.

• Continuous monitoring of infrastructure and application logs for suspicious activity.
• Automated alerts for unusual access patterns, failed authentication attempts, and potential security threats.
• Structured incident response procedures with defined escalation paths.
• Regular security assessments and vulnerability testing.

FlashBooks is designed to comply with the following Indian regulations:

• Information Technology Act, 2000 — Compliance with Section 43A for reasonable security practices and procedures for handling sensitive personal data.
• IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — SPDI handling with heightened security measures including encryption, access controls, and audit logging.
• Digital Personal Data Protection Act, 2023 (DPDPA) — Full compliance as Data Fiduciary including consent management, data principal rights, and breach notification obligations.
• Consumer Protection Act, 2019 — Transparent practices, fair terms, and grievance redressal mechanisms.
• GST Act, 2017 — Compliant record keeping supporting the mandated seventy-two (72) month retention period for financial records.

In the unlikely event of a data breach, FlashBooks will:

• Notify the Data Protection Board of India as required under the Digital Personal Data Protection Act, 2023.
• Notify all affected users within seventy-two (72) hours via email and in-app notification.
• Provide details of the breach, affected data, and recommended protective actions.
• Take immediate steps to contain, investigate, and remediate the breach.
• Maintain detailed records of the incident and all remedial actions taken.

If you discover a potential security vulnerability or have a security concern, please report it immediately to support@flashbooks.in. We take all security reports seriously and will investigate promptly.