We protect your data so that you can use our services worry-free.
We value your data as if it were ours. All our certifications and licenses, including GSP, were awarded after rigorous scrutiny of our systems and multiple VAPT audits.
Security is the first of our key pillars which is built into the fabric of our applications. We ensure security of your data and apps so that you work worry-free on what matters to you.
We use the industry best practices to prevent unauthorised access of your data. Your data is encrypted so that only our applications are able to use it only when you allow them to.
We are ISO 27001:2013 and SOC2 Type 2 compliant to instill trust into the hearts of our customers. We are secured with SSL and a certified GSP (GST Suvidha Provider).
Security is built into the fabric of our cloud products, infrastructure, and processes, so you can rest assured that your data is safeguarded.
Keeping our customers' data safe and secure is very important for us. We use various techniques during data transfer so that your data remains hidden from any interceptions.
We ensure the complete and timely processing of your information. Our robust infrastructure is capable of scaling to any number of requests at any given point of time.
Your data is transmitted across SSL certified pathways, which means an encrypted link is created between your browser and our servers every time you connect to us. We are SOC 2 Type 2 compliant.
We monitor our AWS infrastructure on a continuous basis for any attacks. We also release regular security updates to patch any vulnerabilities and to keep up with the latest trends.
At Clear, your data is your data. We don’t share it with any third party and we don’t use it for any other purposes than your own.
Once you enter your data into our system, it is kept in an encrypted storage over cloud. We do not allow any third parties to have access to your data unless you explicitly allow it. At Clear, your data is our responsibility.
No one at Clear can view your data except our applications. We do not view your data unless you explicitly allow it. We also maintain encryption standards so that only our applications can go through your data.
For further details, please refer to our privacy policy and terms of use.
We protect your data so that you can use our services worry-free.
GST Suvidha Provider (GSP) is considered as an authorised intermediary for businesses to access GST portal services. It was awarded after rigorous scrutiny of our systems and multiple VAPT audits.
We were awarded this coveted certification after systematic examination of our information security risks, threats, vulnerabilities, and impacts. We comply with all the latest standards of enterprise information security.
We have successfully completed SOC 2 Type 2 audit that defines criteria for process management. We've implemented security, availability, processing integrity, confidentiality & privacy. With Clear, you're secure.
There is a Secure Sockets Layer (SSL), the internet standard security technology used to establish an encrypted link between our servers and your devices. SSL is one of the basic building blocks of our security system.
We have ISO27001:2013 Certificate (Expiry: 22 July, 2022).
We have SOC 2 Type 2 Audit report dated 8 August, 2021 (Audit time frame from: July 16, 2020 to Jul 15, 2021)
Up to date VAPT reports for our applications. For some of the critical applications, we perform VAPT at least twice in a calendar year. The open issues are fixed within 30 days and retested from the VAPT vendor.
For the GSP, the VAPT is performed by a CERT-In empanelled vendor. Vendor # 50, Sumasoft as mentioned in here (VAPT performed between 6th July to 13th July). Next test will be performed during the last week of May 2022).
Yes. We have an “Access Control” policy in place and the access is provided to the individuals on a “Need to know” basis only after its approved by the respective manager / BU head.
As we follow the ISO27001:2013, SOC 2 Type 2 audit process, we review the access controls at least on a quarterly basis.
“Disaster Recovery” : We have a policy for DR. Our production systems are deployed in multiple availability zones within the AWS Mumbai region. In order to handle resiliency, we spin multiple copies of all our services. The database server also runs as a 2 node cluster which is spinned up across 2 availability zones. We perform the secondary to primary switch for our database servers at least once in 2 months to test the smooth roll-back of the database servers.
Yes, we have the required BCP process in place. We perform table-top exercise wherein all the major stakeholders like IT, Support, HR, Engineering meet, discuss the open points, come up with the action items and work on them.
As a testimony, when the current Covid-19 struck us, we didn’t have to do anything major in order to facilitate the WFH for all our employees.
Yes. We perform VAPT on a frequent basis for all our products. For some of the important ones, its done at least twice in a calendar year.
The open issues from the VAPT will be fixed and retested within 30 days from the VAPT vendor and we obtain the retesting report for the fixes done by us.
The timelines for fixing the issues reported in the VAPT report.
- CRITICAL - 2-4 hours
- HIGH - 24-48 hours
- MEDIUM - 1-2 weeks
- LOW - Before the next VAPT.
Following are some of the areas covered in VAPT:
- Authenticated user testing for session and authentication issues
- Authorization testing for privilege escalation and access control issues
- Input injection tests (SQL injection, XSS, and others)
- Platform configuration and infrastructure tests
- OWASP Top 10 Assessment
Yes. Our applications are tested against the OWASP Top 10 vulnerabilities.
No. The data ingested by the customers belong to them and Cleartax or its employees or partners don’t have access to the customer data.
The VPC Flow logs are enabled in our AWS account, these logs are in turn ingested into AWS GuardDuty. In case of any of the anomalies, AWS Guard Duty triggers an alert. This alert is in turn integrated with PagerDuty.
Our on-call engineers will get notified on their mobile phones in case of any such incidents.
Our application / load balancer logs are ingested into logs analytics tool and any outliers, we get notified accordingly.
We have a security incident disclosure policy in place. The security researchers reach out to us at security-reports@cleartax.in with their findings.
Whenever any security researcher reports incidents, it gets triaged internally and the teams work on fixing these issues and are rolled out to production. We reward such researchers if they report high severity issues.
Yes, we use different environments for the testing, demo, preprod, staging, production.
For the lower environments, the access is provided to the engineering teams.
For the production environment, except the 5 member DevOps team, nobody else has the access.
Customers’ data is logically segregated in our database. The segregation is done using any of the uniquely identifiable fields. For ex: GSTIN, CustomerIds, OrgIds etc.
We have an authorization service that makes sure that incoming requests are validated against the uniquely identifiable field.
The business logic in the application will fetch data only pertaining to a particular customer and nobody else.
There’s no physical segregation of customer’s data. It will not be possible to create a new database cluster for every single customer / enterprise that we onboard.
Yes. If the customers have GSuite license, they will be able to enable SSO and they will in turn be able to enable Multi Factor Authentication (MFA) for their accounts.
No. Cleartax doesn’t support IP white-listing on its infrastructure. It’s the responsibility of the customer to white-list Cleartax’s IP address in their firewall settings.
A lot of our CA / SME customers doesn’t have a static IP, due to this, it’ll not be possible to whitelist each of our customer’s IP.
Whenever a new database cluster is created, it goes through the review and verification process that its created only in ap-south-1 region. ap-south-1 refers to the Mumbai region.
We have a declaration provided by our “Cloud Service Provider” (CSP) that they undergo STQC audits and is recognized by “Ministry of Electronics and Information Technology” (MeitY). As per this declaration, AWS creates the infrastructure in Mumbai region.
ClearTax uses AWS for hosting its production systems. We use “ap-south-1” (Mumbai region) for spinning all of our cloud infrastructure.