Samidha
Back to all policies

Security Policy

Governing information security governance, controls, incident response, and data protection.

Samidha FinTech Private Limited · CIN U62010MR2026PTC474997 · Last updated: June 2026

1. Introduction and Commitment

Samidha FinTech Private Limited ('SAMIDHA') is committed to maintaining the confidentiality, integrity, and availability of all information assets processed through the Platform. This Security Policy establishes the governance framework, technical controls, and operational procedures implemented by SAMIDHA to protect personal data, financial transactions, and Platform infrastructure.

This Policy is consistent with SAMIDHA's obligations under the IT Act, 2000, the SPDI Rules, 2011, the DPDP Act, 2023, RBI guidelines applicable to digital payment ecosystems, and PCI DSS principles applicable to payment data environments.

2. Information Security Governance

  • A designated information security function with defined responsibilities.
  • An Information Security Management System (ISMS) aligned to ISO/IEC 27001 principles.
  • Security policies and standards reviewed at least annually.
  • Risk assessments conducted for new services, significant changes, and periodically.
  • Board-level accountability for information security through the Company's directors.

3. Access Control and Identity Management

3.1 Principle of Least Privilege. Access to Platform systems, databases, and administrative functions is granted on the basis of least privilege — users and systems are given only the rights necessary to perform their assigned functions.

3.2 Role-Based Access Controls. SAMIDHA implements role-based access controls (RBAC) with defined roles: platform administrators, NGO managers, support staff, and audit-only roles. Access rights are reviewed at least every six (6) months.

3.3 Authentication Controls:

  • Password complexity requirements and mandatory periodic rotation.
  • Multi-factor authentication (MFA) for administrative and privileged access.
  • Account lockout after repeated failed login attempts.
  • Session timeout controls for inactive sessions.

4. Encryption Standards

4.1 Data in Transit. All data transmitted between users' browsers and the Platform is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. Valid SSL/TLS certificates are maintained from recognised certificate authorities.

4.2 Data at Rest. Sensitive personal data including PAN, financial records, and identity documents stored in SAMIDHA's systems is encrypted at rest using AES-256 or equivalent encryption standards.

4.3 Payment Data. Payment instrument data is processed exclusively through 1Pay's PCI DSS-compliant infrastructure. SAMIDHA does not retain card numbers, CVV codes, or payment authentication data. All communication with 1Pay uses encrypted, authenticated channels.

5. Secure Payment Processing

  • Exclusive reliance on 1Pay (RBI-authorised payment aggregator) for all payment transactions.
  • No storage of full card numbers, CVV/CVC, or payment authentication credentials on SAMIDHA servers.
  • PCI DSS SAQ alignment for the Platform's scope of payment handling.
  • Tokenisation of payment references to prevent exposure of sensitive payment data.
  • Regular review of 1Pay's security certifications and compliance status.

6. Vulnerability Management

6.1 Vulnerability Assessments. SAMIDHA conducts periodic vulnerability assessments of the Platform and supporting infrastructure. Critical and high-severity vulnerabilities are remediated on a priority basis.

6.2 Penetration Testing. Independent security professionals conduct penetration testing at least annually and following significant system changes.

6.3 Patch Management. Security patches are applied on a risk-based schedule. Critical patches are applied within seventy-two (72) hours of release.

7. Vendor and Third-Party Security Management

  • Security assessment and due diligence prior to engaging technology and cloud service providers.
  • Data processing agreements incorporating security and confidentiality obligations.
  • Periodic review of vendor security compliance and certifications.
  • Contractual requirements for breach notification by vendors.

8. Logging, Monitoring, and Audit

  • All user access events, system changes, and administrative actions are logged and audit trails maintained.
  • Audit logs are protected from unauthorised modification or deletion.
  • Security monitoring provides alerts for anomalous access patterns, brute force attempts, and fraud indicators.
  • Security log retention: minimum one (1) year. Transaction log retention: as required by Income Tax Act and FCRA.

9. Incident Response

  • Detection: Monitoring systems, user reports, and vendor alerts for security incidents.
  • Triage: Assessment of severity, scope, and nature of the incident.
  • Containment: Isolation of affected systems and prevention of further impact.
  • Eradication: Identification and removal of root cause.
  • Recovery: Restoration of affected systems and services.
  • Post-Incident Review: Documentation and implementation of preventive measures.

Critical incidents are escalated to senior management and notified to the Data Protection Board of India and affected Data Principals as required by law.

10. Data Breach Notification

  • Notification to the Data Protection Board of India within the period prescribed under the DPDP Act, 2023.
  • Notification to affected Data Principals in accordance with applicable law.
  • Notification will include: nature of the breach, data affected, likely consequences, and remedial measures.
  • Full cooperation with regulatory authorities during any investigation.

11. Disaster Recovery and Business Continuity

  • Regular automated backups of critical Platform data and configuration, with encrypted offsite/cloud storage.
  • Defined Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for critical systems.
  • Annual business continuity testing and review.

12. Security Awareness

  • Induction security awareness training for all staff with access to personal data or Platform systems.
  • Annual refresher training on information security and data protection obligations.
  • Targeted training on phishing, social engineering, and secure credential management.

13. User Security Responsibilities

  • Maintain confidentiality of account credentials; do not share passwords with any third party.
  • Report suspected unauthorised account access to SAMIDHA immediately.
  • Use secure, updated browsers and devices to access the Platform.
  • Avoid accessing the Platform on unsecured public Wi-Fi networks without a VPN.

14. Reporting Security Concerns

Email: security@samidhadonor.in

Platform: /security

SAMIDHA will acknowledge security reports within 48 hours. Responsible disclosure is appreciated. Please do not exploit any discovered vulnerability.

Related policies

Privacy PolicyTerms and ConditionsCookie PolicyRefund PolicyNGO Verification PolicyMembership Management Policy