Security & compliance

Trust is the product.

GrihaNexus handles some of the most sensitive data a person owns. We treat it that way — consent-first, verified at source, and encrypted end-to-end. Here is exactly how, and where we are on the journey.

1. Explicit, purpose-bound consent

The borrower approves exactly what data is shared, for what purpose, and for how long — in plain language, revocable anytime. This is the DPDP Act's core principle and the basis of the Account Aggregator flow.

2. Verified data from the source

Instead of trusting uploaded PDFs (which can be forged), GrihaNexus is built to pull bank statements via RBI's Account Aggregator and identity via DigiLocker/CKYC — data signed by the institution that holds it.

3. Minimise, encrypt, and retain lawfully

We collect only what a file needs, encrypt it in transit and at rest, and follow tiered retention — keeping regulatory records as RBI/PMLA require and erasing non-essential data on consent withdrawal.

Where we stand

We believe in being precise about what is live today versus on the roadmap. No vague claims.

DPDP Act 2023

Consent-first data handling, data minimization, purpose limitation, and the right to erasure are built into how GrihaNexus collects and processes borrower data.

Aligned by design

RBI Account Aggregator

Architected to consume bank data through India's RBI-regulated, consent-based Account Aggregator framework (ReBIT APIs, via Sahamati) — verified data straight from the source, not forgeable PDFs.

Integration-ready

DigiLocker & CKYC

Designed to verify PAN, Aadhaar, and KYC from government-grade sources rather than relying on uploaded copies alone.

Integration-ready

Credit bureau (CIBIL/Experian)

Built to pull consented credit reports so the readiness score reflects a real bureau pull, not a guess.

Integration-ready

Encryption in transit & at rest

All borrower data is encrypted end-to-end. Documents are processed over secure channels and never exposed publicly.

Built-in

SOC 2 & ISO 27001

We are building toward formal SOC 2 Type II and ISO 27001 certification as we onboard our first lending partners.

In progress

References: DPDP Act 2023 & DPDP Rules 2025; RBI Master Direction — NBFC-Account Aggregator; ReBIT API specifications (Sahamati, the RBI-recognised SRO for the AA ecosystem).

Want our security overview for your risk team?

We'll walk your compliance and IT teams through our data flows, consent model, and roadmap.