Skip to main content

Security & Technology

Enterprise-Grade Compliance Infrastructure

Built for security auditors, CA firms, and enterprise buyers who want to evaluate our architecture before trusting their compliance data with us.

Certified GSP Gateway

All GST portal communications routed through a SOC2 & ISO 27001 certified GST Suvidha Provider (GSP). GSTR-1 filing, GSTR-2B fetch, e-invoice IRN generation, e-way bill creation — all via audited infrastructure. Both Chartered Information Systems (TaxPro) and Quicko Infosoft registered for automatic failover.

STRIDE Threat Model v1.2

We document and provide our threat model covering all six STRIDE categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Includes agentic AI-specific threats such as cross-tenant inference, prompt injection, and unauthorized tool invocation. Validated and available upon request.

AES-256 Encryption at Rest

Azure PostgreSQL with Transparent Data Encryption (TDE). All data encrypted at rest with AES-256. TLS 1.2+ for all data in transit. Zero plaintext token persistence — GST portal tokens stored in-memory only with automatic expiry.

Tenant-Isolated Architecture

Every database query scoped by org_id AND gstin. No cross-tenant data access is architecturally possible. Role-based access control (admin, manager, accountant, viewer). Append-only audit logs with user attribution and timestamps.

Deterministic Tax Engine

Integer arithmetic in paisa (₹1 = 100 paisa). No floating-point rounding errors. CGST, SGST, IGST computed deterministically from buyer location and supply type. HSN/SAC codes mapped from the official government schedule. GST 2.0 compliant with September 2025 rate changes.

Agentic AI Safety

Seven specialized tools with strict function-calling schema. Server-side validation prevents unauthorized actions. AI cannot access data across tenants, cannot modify filing data without user confirmation (EVC OTP), and cannot bypass role-based permissions. Every AI action is explainable and logged.

Complete Audit Trail

Every invoice created, updated, voided, or filed is logged with user attribution, timestamp, IP address, and action type. Append-only activity history — no retroactive edits. Full accountability chain for compliance audits and notice responses.

Offline-First Mobile Security

Local-first sync queue with conflict resolution. Biometric authentication on mobile. Data encrypted on device. Push notifications for filing deadlines delivered without exposing sensitive data in notification payload.

Need our STRIDE threat model or a security review?

Available upon request to enterprise customers, CA firms, and security auditors.

Contact Sales →← Back to GanitSy