Product Docs

Open – Security, Privacy & Compliance Overview

Suggest Edits

1. Data Management & Privacy

Is customer data stored? Why?

Yes. All data transmitted to Open through APIs or platform workflows is securely collected and stored.

Data storage is required to:

  • Maintain a complete system of record for all financial operations processed through Open
  • Support dispute resolution, fraud investigations, regulatory inquiries, and audit requirements
  • Meet banking partner and regulatory expectations for transaction traceability

As a regulated financial technology platform operating as an orchestration and connectivity layer between enterprises and banks, Open is required to retain records of all transactions and API interactions.


For how long is data retained, and where?

  • Transactional and operational data is retained in hot storage for 10 years, in line with internal data retention policies and banking industry norms.
  • After 10 years, data is securely moved to cold storage and is retrieved only upon explicit request.
  • All data is hosted exclusively on Amazon Web Services (AWS) cloud infrastructure.

No customer data is stored on local machines or on-premise infrastructure.


How secure is stored data?

Open implements bank-grade security controls across data at rest and data in transit.
Key measures include:

  • Encryption at rest and in transit using industry-standard cryptographic protocols
  • Strict access controls, with database and storage access limited to authorized personnel only
  • Key management handled via AWS Key Management Service (KMS)

Open operates under a formal Information Security Management System (ISMS) and undergoes regular external audits to validate adherence to internationally recognized security standards.


2. Technology Architecture & Integration Security

High-level architecture overview

Open acts as a secure middleware layer between enterprises and banking systems.

  • Enterprises connect to Open using secure APIs or platform modules
  • Open maintains integrations with 16+ major Indian banks
  • All communication between merchants, Open, and banks is secured using encrypted channels and bank-mandated security protocols
  • Enterprises interact with a unified interface, eliminating the need to integrate individually with multiple banks
    This architecture significantly reduces operational complexity while maintaining strong security and compliance controls.

How does Open interact with external platforms (ERPs, tools)?

  • ERPs (e.g., Microsoft Business Central, Tally) never communicate directly with banks
  • All ERP interactions flow through Open’s secure backend
  • ERP integrations use:
    • API-based connectors (cloud ERPs)
    • Secure plugins (desktop ERPs like Tally)
  • Transaction confirmations and reconciliations are pushed back to ERPs through secured APIs

This ensures consistent security enforcement across all integrations.


How secure is API communication?

All API communication is protected through multiple layers of security, including:

  • TLS 1.2 / 1.3 encrypted transport
  • AES-256 encryption for payloads
  • Certificate-based authentication
  • IP whitelisting and mutual TLS, where mandated by banks
  • RSA 2048 / 4096-bit encryption, as required by specific banking partners

Security protocols are bank-dictated, and Open complies fully with each bank’s integration requirements.


3. Infrastructure & Cloud Security

Cloud infrastructure

  • Open is hosted on AWS, operating within isolated private networks (VPCs)
  • All environments (production, staging, testing) are logically segregated
  • No customer data is stored in developer or local environments

Key management

  • All secrets, tokens, and encryption keys are managed using AWS Key Management Service (KMS)
  • Keys are rotated and access-controlled as per internal security policies

Monitoring & availability

  • 24×7×365 monitoring using proprietary and industry-standard tools
  • 99.9% uptime SLA
  • Real-time alerts for performance degradation, security anomalies, or availability risks

Disaster recovery & resiliency

  • Redundant infrastructure and automated failover mechanisms
  • Regular backups and snapshots
  • Point-in-time recovery supported (up to the last 35 days)
  • Periodic disaster recovery drills to validate recovery readiness

4. Application & Network Security

Application security practices

  • Secure Software Development Lifecycle (SSDLC)
  • Static and dynamic application security testing (SAST & DAST)
  • Secure coding practices aligned with OWASP guidelines
  • Third-party security assessments conducted bi-annually
  • Software Composition Analysis (SCA) and Software Bill of Materials (SBOM) generation
  • Active responsible disclosure / bug bounty program

Network protection

  • Web Application Firewall (WAF)
  • Network-level firewalls
  • DDoS protection
  • Network segmentation and traffic filtering

Vulnerability management

  • Quarterly vulnerability assessments
  • Regular penetration testing by independent third-party firms
  • Timely remediation and verification of identified issues

5. Audits, Compliance & Certifications

External audits

Open undergoes:

  • Annual ISMS audits
  • Regular bank-mandated security audits (conducted independently by each banking partner)
  • Periodic compliance reviews by third-party auditors

Certifications & compliance

Open maintains the following certifications and compliance standards:

  • ISO 27001 – Information Security Management System
  • PCI DSS – Payment Card Industry Data Security Standard
  • Cloud infrastructure compliant with SOC 2 Type II
    Additionally:
  • Each banking partner conducts its own technical and security audit before enabling integrations
  • Identified issues are remediated prior to certification or approval

6. Data Access & Internal Controls


  • Role-based access control (RBAC)
  • Audit logging across systems
  • Strict separation of duties
  • Mandatory security training and awareness for employees
  • Centralized incident response and SOC processes

7. Questions Enterprises Commonly Ask

Can merchants request data deletion?

  • Data retention follows regulatory and contractual requirements.
  • Post-retention deletion requests are handled as per internal data governance policies.

Is customer data shared with third parties?

  • No customer data is sold or shared with unauthorized third parties.
  • Data is shared only with:
    • Banking partners (for transaction execution)
    • Explicitly authorized platforms (ERPs, integrations initiated by the merchant)

How are access events logged and audited?

  • All critical access and transaction events are logged
  • Logs are monitored and retained for audit and forensic purposes

Who owns the data?

  • The enterprise/customer retains full ownership of their data
  • Open acts solely as a data processor and secure intermediary

8. Summary for Enterprise Stakeholders

Open is built to meet bank-grade security expectations and has been vetted by:

  • India’s largest banks
  • Enterprise customers with stringent security requirements
  • Independent auditors and compliance bodies

Security, compliance, and operational resilience are foundational, not add-ons.

Updated about 3 hours ago