Security

Last updated: January 2025

At LedgerHub, security is not an afterthought — it is built into every layer of our platform. Your invoices, GST records, inventory data, and financial information are among the most sensitive assets your business holds. We take our responsibility to protect that data seriously and have implemented multiple layers of technical and organisational safeguards.

1. Encryption in Transit

All communication between your browser or mobile app and the LedgerHub servers is encrypted using 256-bit SSL/TLS (TLS 1.2 or higher). This means that any data you send or receive — including login credentials, invoice details, and financial reports — is protected from interception by third parties. Our TLS certificates are managed and auto-renewed to ensure continuous protection. We enforce HTTPS across all domains and subdomains and use HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks.

2. Encryption at Rest

All data stored in our databases and file storage systems is encrypted at rest using AES-256, the same standard used by financial institutions and government agencies worldwide. Sensitive fields — including bank account numbers, GSTIN, and PAN — are encrypted at the application layer in addition to the database-level encryption, providing a second layer of protection even in the unlikely event of unauthorised database access.

3. Data Centre Security

Your data is stored exclusively on servers located within India, in ISO 27001-certified data centres. ISO 27001 is the internationally recognised standard for information security management systems. Our data centre partners maintain:

• 24/7 physical security with biometric access controls and CCTV surveillance.
• Redundant power supply with uninterruptible power systems (UPS) and diesel generators to ensure continuous availability.
• Fire suppression and environmental monitoring systems.
• Strict visitor management and escort policies for all personnel entering the facility.

4. Backups and Data Availability

We take automatic incremental backups every 4 hours and full daily backups of all customer data. Backups are retained for a minimum of 30 days and are stored in geographically separate locations within India to protect against localised outages.

Backup data is encrypted using the same AES-256 standard as production data, and access to backup systems is restricted to a small number of authorised senior engineers. We perform regular restore tests to verify that backups are usable and that recovery time objectives can be met.

5. Access Controls

We apply the principle of least privilege throughout our organisation:

• Role-based access controls (RBAC) ensure that every LedgerHub team member — engineering, support, operations — can only access the systems and data necessary to perform their specific job function.
• Customer data is not accessible to sales or marketing staff. Support staff can view account metadata to assist with technical queries, but never have access to the content of your invoices or financial records without your explicit permission.
• All internal administrative access to production systems requires multi-factor authentication (MFA) and is logged and audited.
• Access permissions are reviewed quarterly and revoked immediately upon employee offboarding.

6. Two-Factor Authentication (2FA)

Two-factor authentication is available to all LedgerHub users and is strongly recommended. When enabled, logging in to your account requires both your password and a time-based one-time code (TOTP) generated by an authenticator app such as Google Authenticator or Authy. Enabling 2FA significantly reduces the risk of unauthorised access in the event your password is compromised. You can enable 2FA from Settings → Security in your LedgerHub account.

7. Penetration Testing

We conduct regular penetration testing of our web application, APIs, and infrastructure, carried out by independent third-party security firms. Findings are triaged and addressed according to severity — critical and high-severity vulnerabilities are patched within 48 hours of discovery. We also run automated vulnerability scanning as part of our continuous integration pipeline to catch security issues before they reach production.

8. Compliance

• India PDPA: LedgerHub processes and stores all personal data in accordance with India's Personal Data Protection Act (PDPA) and related regulations. We collect only the minimum data necessary, retain data only as long as required, and support your rights to access, correction, and deletion of your personal data.
• SOC 2 Type II: We are actively working towards SOC 2 Type II certification, which will provide independent third-party verification of our security, availability, and confidentiality controls. We expect to complete this audit in 2025.
• GST data handling: We adhere to the data handling requirements specified by the Goods and Services Tax Network (GSTN) for authorised GST Software Providers.

9. Responsible Disclosure

We welcome reports from security researchers and users who discover potential vulnerabilities in LedgerHub. If you believe you have found a security issue, please report it to us responsibly:

• Email your findings to security@ledgerhub.cloud. Please encrypt sensitive details using our PGP key if possible.
• Include a description of the vulnerability, the steps to reproduce it, and the potential impact.
• Please do not exploit the vulnerability beyond what is necessary to demonstrate the issue, and do not access, modify, or delete data that does not belong to you.

We commit to acknowledging your report within 2 business days, keeping you informed of our progress, and publicly crediting researchers who responsibly disclose valid vulnerabilities (unless they prefer to remain anonymous).

10. Contact Us

For general security questions or to report a security incident with your account, please contact: