Security & Breach Notification

1. Infrastructure

The application is hosted on Emergent, a managed application-deployment platform. Specifically, Emergent operates:

• The web/API runtime serving travelaccountingsoftware.com
• The MongoDB instance that stores your data
• Any file uploads (invoice PDFs/images) you place in the system

The exact physical region, encryption-at-rest standard, automated backup frequency, and restore-test cadence are governed by Emergent's infrastructure. We are working to publish a signed Data Processing Agreement and infrastructure attestation from Emergent on this page. In the meantime:

• You may request the current details in writing at dpo@travelaccountingsoftware.com
• For enterprise customers who require data residency in India, we offer a separate paid plan that runs on a dedicated MongoDB Atlas cluster in AWS Mumbai (ap-south-1) with a read-replica in Hyderabad (ap-south-2), AES-256 customer-managed-key encryption at rest, and a monthly cold archive to S3 Glacier Deep Archive (Mumbai) under Object Lock Compliance mode for the full Sec 36 CGST 8-year retention. Contact sales@travelaccountingsoftware.com for pricing.

2. Access control

• JWT-based authentication with optional TOTP 2FA
• Password storage uses bcrypt with a per-password salt
• Customer data is never accessed by our staff without an explicit support ticket from you, and all such access is recorded in the audit log
• Per-tenant logical isolation — every API query is scoped to your user_id

3. Data retention

Per Section 36 of the CGST Act, 2017, we retain accounting records for 8 years after the end of the relevant financial year. The application implements this via soft-deletion: when you delete a Sale, Purchase, Payment, Credit Note, Debit Note, or TDS entry, the record is marked deleted but preserved in the database for the statutory horizon.

4. Backups

Daily backups are performed by our hosting platform (Emergent). The exact retention window, off-site geography, and restore-test cadence are managed by Emergent — request the current details from dpo@travelaccountingsoftware.com. Enterprise customers on the AWS-Mumbai plan additionally get a monthly cold archive in S3 Glacier Deep Archive with 8-year Object Lock.

5. Breach Notification Process

We follow Section 8(6) of the DPDP Act, 2023, and CERT-In Direction 20(3)/2022 for incident response:

1. Detection (T+0): 24×7 monitoring detects anomalous activity. Confirmed incidents are escalated within 30 minutes.
2. Containment (T+6h): Affected systems are isolated. Incident commander is appointed.
3. Customer notification (T+72h max): Affected tenants receive an email with: scope of breach, data categories affected, mitigation steps taken, what you should do, contact for follow-up.
4. Regulator notification:
   • Data Protection Board of India — within 72 hours under DPDP §8(6)
   • CERT-In — within 6 hours under the 2022 Direction
5. Post-mortem (T+2 weeks): Published RCA + remediation report sent to affected customers and the DPO.

6. Reporting a vulnerability

Found a security issue? Please email security@travelaccountingsoftware.com. We acknowledge within 24 hours and aim to remediate within 30 days for critical issues. We do not currently run a public bug bounty.

7. Compliance roadmap

• DPDP Act 2023 — compliant since Feb 2026 (this release)
• SOC 2 Type II readiness — target FY 26-27 Q2
• ISO 27001 — target FY 26-27 Q4

8. Contact

Security: security@travelaccountingsoftware.com
DPO: dpo@travelaccountingsoftware.com · response ≤ 30 days