Organizational security

Our security program is aligned to the ISO 27001 standards and is regularly audited and assessed by third parties and customers.

Personnel security

Personnel security practices apply to all employees at Cybrilla, who have direct or indirect access to Fintech Primitives internal information systems (“systems”). All employees are required to understand and follow internal policies and standards. Before gaining initial access to systems, all employees must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting. Upon termination of work at Cybrilla, all access to internal systems is removed immediately.


Fintech Primitives evaluates the design and operation of its overall ISMS for compliance with internal and external standards. Fintech Primitives engages credentialed assessors to perform external audits at least once per year. Audit results are shared with senior management and all findings are tracked to resolution.

Legal compliance

Fintech Primitives employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals review products and features for compliance with applicable legal and regulatory requirements.

Regulator compliance

Fintech Primitives adheres to the cyber practices laid down by SEBI for mutual fund distributors and AMCs. This ensures that the platform is up to date in compliance from the regulator’s perspectives as well.

Protecting Customer Data

The focus of the security program at Fintech Primitives is to prevent unauthorized access to customer data. For the same, we take exhaustive steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.

Sensitive Data

The following data points are extremely critical and all the policies are devised to handle the confidentiality, integrity and availability of this data.

  • Investors personal information
  • Transactional data (orders, payments)


All tenants are mandatorily required to create an HMAC authentication token to access the production environment.

Data in transit

All data transmitted between Fintech Primitives customers and the Fintech Primitives service is done so using strong encryption protocols. Fintech Primitives supports the latest recommended secure cipher algorithms to encrypt all traffic in transit like AES-256-CBC. All the APIs are accessed only via HTTPS SSL encryption.

Data at rest

Data at rest in Fintech Primitives production network is stored in an encrypted format, which applies to all types of data at rest within Fintech Primitives systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. Fintech Primitives has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Data storage

Each Fintech Primitives customer’s data is hosted in our shared infrastructure and logically separated from other customers’ data. We use a combination of storage technologies like Amazon RDS to ensure customer data is protected from hardware failures and returns quickly when requested. We have also configured RDS in Multi-AZ to have enhanced availability and durability (Each AZ is physically independent and engineered to be highly reliable). The Fintech Primitives service is hosted in data centers maintained by the industry-leading service provider (AWS), offering state-of-the-art physical protection for the servers and infrastructure that comprise the Fintech Primitives operating environment.

System Monitoring, Logging, and Alerting

Fintech Primitives uses both internal and external monitoring services to monitor the platform services. Administrative access, use of privileged commands, and system calls on all servers in the production network are logged and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. All production logs are stored in a separate network that is restricted to only the relevant security personnel. Fintech Primitives supports the latest stack available for monitoring services including but not restricted to ELK stack for log analysis, Amazon cloudwatch to monitor the infrastructure and Monitis for external API uptime monitoring.

Network Security

Fintech Primitives uses Amazon AWS platform and infrastructure. Physical security is guided by the AWS policies around it. In addition to the physical security, being on AWS also provides us with significant protection against the network security issues like

  • DDoS attacks
  • Man in the middle attacks
  • IP Spoofing
  • Port Scanning
  • Packet sniffing by other tenants

Access Control


To minimize the risk of data exposure, Fintech Primitives adheres to the principle of least privilege and role-based permissions when provisioning access. Employees are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly. The provisioning activities include performance of all activities on a remote AWS server, masking of all sensitive data points and access through a white labelled IP address.


Each customer is treated as a separate tenant that has a separate database and an independent access control to access the associated data.

Access Security

  • Access to servers is restricted to only certain IP addresses
  • Access to servers is only through AWS VPC
  • SSH Keys are required to access the servers and each user has a separate identity

Disaster Recovery and Business Continuity Plan

Fintech Primitives utilizes services deployed by its hosting provider (AWS) to ensure backup and recovery of applications and data respectively. We have incorporated various approaches like the following but not limited to -

  • Configured RDS in Multi-AZ to have enhanced availability and durability (Each AZ is physically independent and engineered to be highly reliable).
  • Modelled and provisioned a single source of truth for the infrastructure allowing to build and rebuild the infrastructure and applications, without having to perform manual actions or write custom scripts. This standardizes the infrastructure components enabling configuration compliance and faster troubleshooting.
  • Cross region replication of the requisite data points.
  • Well-tested backup and restoration procedures which allow for recovery from a major disaster.


Fintech Primitives has an existential interest in protecting your data. Every person, team, and organization deserves and expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we continue to work hard to maintain that trust.