Legal · Security

Security at splitt.

How we encrypt, authenticate, host, audit, and respond — written for humans who actually want to know what we do with your data, not just the checkboxes.

Effective: 15 April 2026 Audit: SOC 2 Type II · Q1 2026 Data residency: AWS Mumbai (ap-south-1) ● CERT-In registered
01 · Principles

How we think about it.

  1. Least data. Don't collect what we don't need. If a feature can run on-device, it does.
  2. Least access. Inside splitt, the smallest group of people who can do the job has the access. Default for engineers is anonymized aggregates.
  3. Encrypt by default. In flight, at rest, in backups. Receipts and contacts get a second layer with keys you control.
  4. Defaults that don't surprise. Privacy features are on by default. You don't have to "harden" your account.
02 · Encryption

The crypto.

In transit
TLS 1.3 with strong cipher suites. HSTS preload, no fallback to TLS 1.1/1.0. Certificate pinning in the mobile apps.
At rest
AES-256 (GCM) for database volumes; AWS KMS-managed keys with rotation every 90 days.
Backups
Same as at-rest, plus an additional layer using customer-managed keys. Backups live in a separate AWS account.
Receipts
Uploaded over TLS; encrypted at rest; deleted from object storage after 30 days. The OCR pipeline operates on encrypted segments and never persists the raw image.
Contacts
Hashed (SHA-256 with per-user salt) before they leave your device. We never see your phonebook in the clear.
Local device
App database protected by iOS Data Protection (Class A) or Android Keystore-backed encryption. Biometric lock available for the whole app.
03 · Authentication

Who you are, proven safely.

  • Sign-in is via phone number + OTP. We don't use passwords; there's nothing to leak in a credential dump.
  • OTPs are 6 digits, expire in 5 minutes, single-use, and rate-limited per number and per IP.
  • Sessions are bound to the device. A stolen access token cannot be replayed from a different device.
  • Biometric (Face ID / Touch ID / Android biometric) protects the app launch. Optional, recommended, on by default for new installs.
  • Account changes (e.g. changing phone number) require a fresh OTP plus a 24-hour cooldown.
04 · Hosting

Where your data lives.

  • Primary infrastructure: AWS Mumbai (ap-south-1). All personal data and split data lives in India.
  • Disaster-recovery copy in AWS Hyderabad (ap-south-2). No data leaves Indian jurisdiction.
  • Production is isolated in its own AWS account; engineers do not have shell access to production hosts. All deployments are immutable container images, signed and verified at boot.
  • Network: private VPCs, no public ingress except through a hardened API gateway. WAF in front; DDoS protection via AWS Shield Standard.
05 · UPI integration

What splitt does not handle.

splitt never sees your bank account number, debit card, credit card, or UPI PIN. UPI payments are coordinated via deep links that hand off to your UPI app — your bank app does the actual debit. The only thing that comes back to us is the UTR (transaction reference) so we can mark a split settled.

Our UPI integration follows the NPCI UPI Switch Vendor guidelines and the RBI Master Direction on Information Technology Framework for NBFCs (applied as best practice though we are not an NBFC).

06 · Internal access

Who at splitt sees what.

RoleDefault accessHow escalation works
EngineerAnonymized aggregates onlyJust-in-time, time-boxed access, with on-call peer approval and audit log
SupportAccount metadata, ticket historyCannot read split contents without a user-issued temporary token
SRE on-callProduction system telemetry, no PII payloadBreak-glass access requires 2-person approval; auto-expires in 4 hours
LegalOnly what's needed to respond to a specific lawful requestApproved by the DPO; logged

Every access is logged in a tamper-evident audit trail (write-once S3 + CloudTrail). The audit log is reviewed monthly by the DPO.

07 · Audits

Outside eyes.

  • SOC 2 Type II · audited annually by a Big-4 firm. Latest report Q1 2026; available under NDA to enterprise customers.
  • Penetration tests · twice a year by a CERT-In empanelled firm. Critical/high findings remediated before the report is finalized.
  • DPDP Act compliance audit · annual, by an independent consultant.
  • Dependency scanning · Snyk + GitHub Dependabot. Critical CVEs patched within 7 days, others within 30.
08 · Incidents

If something goes wrong.

  1. DetectAnomaly detection on auth, infra, and database access fires 24/7 alerts to on-call SRE and security.
  2. TriageWithin 1 hour we triage and decide containment. A war-room channel is opened with engineering, legal, and DPO.
  3. Contain & remediateIsolate affected systems; rotate keys; patch the underlying cause.
  4. NotifyIf user data was or could have been accessed, we notify affected users within 72 hours of confirmation and the CERT-In within 6 hours of detection, as required by the CERT-In direction of 28 April 2022.
  5. Post-mortemA blameless post-mortem is published internally within 14 days. The summary, including what we changed, is shared with affected users.
09 · Bug bounty

Find a hole, get paid.

We run a private bug-bounty program on HackerOne. Rewards scale with impact:

SeverityReward (INR)Examples
Criticalup to ₹1,20,000RCE, full account takeover at scale, unauthorized fund movement
High₹15,000 – ₹45,000Stored XSS in app shell, sensitive data exposure across users
Medium₹5,000 – ₹12,000IDOR with limited scope, CSRF on sensitive endpoints
Low₹1,000 – ₹3,000Information disclosure, missing security headers with real impact

To request access, write to security@splitt.app with a short note on what you'd like to test.

10 · Contact

Talk to security.

Report a vulnerability
security@splitt.app · PGP key on the website
Compliance enquiries
compliance@splitt.app
Data Protection Officer
Mehak Pillai · dpo@splitt.app
CERT-In escalation
Filed via cert-in.org.in · we are a registered reporter