Security Overview · Last reviewed April 2026

Your financial data deserves real protection

Paisashield is built around secure-by-default principles: encrypted data, isolated workspaces, role-based access, and a full audit trail. Here is exactly what we do to keep your books safe.

Security Compliance & Regulatory Privacy Policy Terms of Service

Encryption in Transit

TLS for all connections

Role-Based Access

Module-level permissions

Full Audit Trail

Every change logged

No Card Storage

Payments via Razorpay

1

Data Security

Encryption in transit

All traffic between your browser and Paisashield is encrypted using TLS. This applies to every page, every API call, and every file upload.

Data at rest

Your financial data is stored in a managed MySQL database on secured infrastructure. Passwords are hashed using bcrypt — plaintext passwords are never stored or logged.

Workspace isolation

Every workspace is a completely separate data boundary. There is no shared data between workspaces at any layer of the application. A user in one workspace cannot access, view, or infer data from another.

Data retention & deletion

When you close your account, your data is removed from active systems. For details on retention timelines, see our Privacy Policy.

2

Application Security

CSRF protection

Every state-changing form in the application includes a CSRF token. Requests that do not present a valid token are rejected before processing.

Session management

Sessions are server-side. Session cookies are set with HttpOnly and Secure flags. Inactive sessions expire automatically.

SQL injection prevention

All database queries use SQLAlchemy's ORM with parameterised queries. Raw SQL strings constructed from user input are never used.

XSS prevention

The Jinja2 templating engine auto-escapes all user-supplied content by default. Rich text fields are not used in financial data inputs.

Open redirect prevention

Redirect targets supplied in URL parameters are validated against an allowlist of relative paths before use. Arbitrary external redirects are blocked.

Email verification

New accounts require email verification before they can access the platform. Verification tokens are time-limited and single-use.

3

Access Control

Access within a workspace is governed by roles. The workspace owner assigns roles when inviting team members. Roles can be changed or revoked at any time.

Admin

Full access to all modules, company settings, team management, and billing.

Accountant

Can create and edit financial records across modules. Cannot manage team members or access billing.

Viewer

Read-only access to reports and records. Cannot create, edit, or delete any data.

All access checks are enforced server-side on every request. UI state (hidden buttons, greyed-out menus) is supplementary to — not a substitute for — server-side authorisation.

4

Audit Trail

Every change is logged permanently

The audit log captures: what changed, who made the change, the timestamp, and the before/after state of the record. This covers all financial transactions, master data, and settings changes across every module.

Journal entry create / edit / reverse / delete
Invoice and bill create / void
Chart of accounts changes
Team member access changes
Investment buy / sell / dividend entries
Company and workspace settings changes
5

Payment Security

Paisashield does not store payment card data

Subscription payments are processed through Razorpay's hosted checkout. Your card details are entered directly on Razorpay's PCI-DSS compliant environment — they are never transmitted to or stored on Paisashield's servers.

Paisashield receives only a payment confirmation token and the transaction status from Razorpay. No CVV, card number, or bank credentials are passed to or stored in our system at any point.

6

Infrastructure

Hosting

Application hosted on managed cPanel hosting. Web server, database, and application processes run in isolated environments.

Database

Production database runs MySQL. Database access credentials are stored as environment variables — not in code or configuration files.

Backups

Regular database backups are maintained. Backups are stored separately from primary data to enable recovery in the event of data loss.

Dependency management

Third-party libraries are pinned to specific versions. Dependencies are reviewed and updated as security advisories are published.

7

Responsible Disclosure

If you discover a security vulnerability in Paisashield, we ask that you report it to us privately before disclosing it publicly. This gives us time to investigate and fix the issue without putting users at risk.

Email your report to security@paisashield.com with a clear description of the vulnerability and steps to reproduce it.
We will acknowledge your report within 2 business days and provide an estimated fix timeline.
We request a reasonable disclosure window (typically 30 days) before any public disclosure, and we will credit researchers who report valid issues.
Please do not: access, modify, or delete user data during testing; perform denial-of-service attacks; test social engineering or phishing against our users.
8

Security Contact

For security vulnerabilities, suspected incidents, or questions about how we protect your data:

Security reports

security@paisashield.com

Compliance & regulatory

compliance@paisashield.com

Questions about security? Contact us

Privacy Policy Terms of Service Compliance