Security is how
Carfin survives.
We hold sensitive financial data — name, PAN, income, bank statements — on behalf of every applicant. Here's how we protect it, and what we've signed up to do when we get it wrong.
Security practices.
All personal data is encrypted at rest with AES-256. All traffic between client, Carfin services, and lender systems is TLS 1.3 with HSTS.
Carfin staff access to production data is role-gated. All access is logged and audited. Sales advisors cannot see PAN or bank-statement contents.
We use SOC-2 Type II compliant cloud, KYC and messaging vendors. We re-review SOC reports annually.
Third-party black-box + grey-box pen-tests every six months. Findings are tracked publicly on our internal status page.
Every quarter, every active account and every API key is reviewed. Unused credentials are revoked within 30 days.
24×7 on-call. We publish a public post-mortem within 14 days of any incident that touched customer data.
Find a vulnerability. Get paid.
Carfin runs a private bug bounty programme. We respect researchers who follow coordinated disclosure — and pay them properly.
In scope
- All Carfin web properties on
*.carfin.in - Carfin's iOS and Android apps
- Public REST APIs documented at
api.carfin.in/docs
Out of scope
- Denial-of-service, social engineering, physical security
- Third-party services we use (report directly to them)
- Self-XSS, missing security headers without exploitability, CSRF on logout
How to report
Encrypt your write-up with our PGP key (linked below) and email security@carfin.in. We acknowledge within 48 hours and pay out within 14 days of verification.
- Critical₹2L – ₹4LRCE, auth bypass, PII leak
- High₹50K – ₹1.5LStored XSS, IDOR on private data
- Medium₹15K – ₹40KCSRF on sensitive action, SSRF
- Low₹3K – ₹10KOpen redirect, minor info leak