● Security & trust

Your ledger.
Your data. Your country.

You're handing us the most sensitive thing your business owns — the truth about money, customers and stock. Here is exactly how we hold it.

01

India-only data residency

Every byte of your ledger, customer list and inventory stays inside Indian borders. Hosted on AWS Mumbai and Hyderabad. We never replicate outside the country, even for backups.

AWS ap-south-1 / ap-south-2
02

Encryption at rest & in transit

TLS 1.3 in transit. AES-256 at rest, with envelope encryption for sensitive fields (PII, GST identifiers, ledger balances). Customer-managed keys for Enterprise on request.

AES-256 · TLS 1.3
03

Role-based access control

Owner, manager, accountant, warehouse, delivery — each role sees what they need, nothing more. Finance is invisible to the warehouse. Approvals require the owner. Period.

5 roles · least privilege
04

7-year audit log, tamper-evident

Every money, stock and customer-record change is signed and stored for the full statutory retention period. Every event shows who, what, when, from where — and we cannot edit it.

Hash-chained · immutable
05

Daily backups, fast recovery

Encrypted snapshots every 24 hours, retained for 30 days. Tested restore drills monthly. Recovery point objective (RPO) under 4 hours, recovery time objective (RTO) under 8.

RPO 4 h · RTO 8 h
06

GST e-invoice, attested

IRN pulled directly from GSTN at the moment of dispatch. No intermediate caching of your invoice data. Filing-ready exports in JSON and Excel.

GSTN direct · GSP-backed
● Where the data sits

Two regions. Zero border crossings.

Primary in Mumbai. Hot standby in Hyderabad. Backups in both. Logs and analytics never leave India.

PRIMARY
Mumbai · ap-south-1
Live read/write
STANDBY
Hyderabad · ap-south-2
Hot failover
Backups
Encrypted snapshots · 24-hour cadence · 30-day retention
● Compliance posture

The frameworks we meet, work toward, or sidestep.

FRAMEWORK
STATUS
NOTE
GST e-invoice
Live
NIC GSP integration, IRN at line level
India IT Act
Compliant
Section 43A — reasonable security practices
DPDP Act 2023
Compliant
Data Principal rights, breach notification
SOC 2 Type II
In progress
Audit scheduled Q4 2026
ISO 27001
In progress
Gap assessment complete
PCI DSS
Out of scope
We never store card data — routed via Razorpay
● Sub-processors

Every party that touches your data.

We publish this list whenever we change it. You're notified 30 days before any addition takes effect.

Infrastructure
AWS (Mumbai, Hyderabad)
Compute, storage, DB
Payments
Razorpay
UPI, cards, NEFT collection
WhatsApp + SMS
Twilio India
Outbound notifications
Transactional email
Postmark
OTP delivery (backup channel)
GST e-invoice
NIC GSP partner
IRN generation
Error monitoring
Sentry
Anonymized stack traces
● Incident response

If something goes wrong, you hear from us first.

Every customer-affecting incident triggers a notification within 4 hours of detection. Detailed post-mortem with timeline, root cause and remediation within 5 working days. No spin.

Report a vulnerability
security@neev.in
PGP key available on request
Status page
status.neev.in
Real-time uptime · 90-day history

Want the long version?

Our security architecture document goes deeper — key rotation cadence, threat model, network topology, the works. Sent over after a quick NDA for serious evaluators.

Request the white paper →Email security@