Help · Trust

Security is how
Carfin survives.

We hold sensitive financial data — name, PAN, income, bank statements — on behalf of every applicant. Here's how we protect it, and what we've signed up to do when we get it wrong.

Encryption
AES-256
Audits
Bi-annual
Bug bounty
Up to ₹4L
Uptime
99.97%
Last 12 months
What we do

Security practices.

Encryption at rest + in transit

All personal data is encrypted at rest with AES-256. All traffic between client, Carfin services, and lender systems is TLS 1.3 with HSTS.

Least-privilege access

Carfin staff access to production data is role-gated. All access is logged and audited. Sales advisors cannot see PAN or bank-statement contents.

Vendor due diligence

We use SOC-2 Type II compliant cloud, KYC and messaging vendors. We re-review SOC reports annually.

Bi-annual penetration tests

Third-party black-box + grey-box pen-tests every six months. Findings are tracked publicly on our internal status page.

Quarterly access reviews

Every quarter, every active account and every API key is reviewed. Unused credentials are revoked within 30 days.

Incident response

24×7 on-call. We publish a public post-mortem within 14 days of any incident that touched customer data.

Bug bounty

Find a vulnerability. Get paid.

Carfin runs a private bug bounty programme. We respect researchers who follow coordinated disclosure — and pay them properly.

In scope

  • All Carfin web properties on *.carfin.in
  • Carfin's iOS and Android apps
  • Public REST APIs documented at api.carfin.in/docs

Out of scope

  • Denial-of-service, social engineering, physical security
  • Third-party services we use (report directly to them)
  • Self-XSS, missing security headers without exploitability, CSRF on logout

How to report

Encrypt your write-up with our PGP key (linked below) and email security@carfin.in. We acknowledge within 48 hours and pay out within 14 days of verification.

Bounty tiers
  • Critical₹2L – ₹4L
    RCE, auth bypass, PII leak
  • High₹50K – ₹1.5L
    Stored XSS, IDOR on private data
  • Medium₹15K – ₹40K
    CSRF on sensitive action, SSRF
  • Low₹3K – ₹10K
    Open redirect, minor info leak
Report a finding →
Hall of fame

Researchers who helped us in 2025-26.

@nikhil_v
@cyber_chowkidar
@p4nd0r4
@bug_b0t
@neha_secsec
@dishant.io
@thereal_kun
@kiosk_user