Security Policy

We treat security as a product feature, not an afterthought. This Security Policy describes the controls VentureSpin Private Limited (CIN: U62099TS2025PTC205120; “VentureSpin”, “we”, “us”) operates to protect the OneFinOps platform (the “Service”) and the Customer Data we process. It is updated as the programme evolves.

For sensitive details (penetration-test reports, SOC 2 reports under NDA, Sub-processor list, data-flow diagrams), contact security@onefinops.com from a verified Customer email.

1. Definitions

Capitalised terms used in this Policy but not defined here have the meanings given in the Terms of Service, the Privacy Policy and the Data Processing Addendum.

• “Customer Data” has the meaning given in the Terms of Service.
• “Incident” means a confirmed event that compromises the confidentiality, integrity or availability of the Service or Customer Data.
• “Personal Data” has the meaning given in the Privacy Policy and the DPDP Act.
• “Personal Data Breach” has the meaning given in the DPA.
• “Service” means the OneFinOps platform.
• “Sub-processor” means a third party engaged by VentureSpin to process Customer Data or Personal Data in connection with the Service.
• “VentureSpin” means VentureSpin Private Limited (CIN: U62099TS2025PTC205120), referred to as “we” or “us”.

2. Governance

Security is owned by our Head of Security, who reports directly to the founders. We maintain a written information security programme aligned with the controls of ISO/IEC 27001 and the AICPA SOC 2 Trust Services Criteria. Policies are reviewed at least annually, and on material change.

3. Hosting and infrastructure

• Region: production infrastructure for Customer Data is hosted in Indian regions of leading cloud providers (currently AWS Mumbai). Backup replication is constrained to Indian regions.
• Tenancy: Customer Data is logically isolated per tenant, with strict tenant-scoped queries enforced at the application layer.
• Network: all ingress runs through a managed WAF, with rate limiting, geo-aware throttling and IP-based abuse detection. Production VPCs are private; egress is allow-listed to known Sub-processors.
• Hardening: container images are scanned on build and on a recurring schedule; vulnerabilities meeting our risk threshold are patched within defined SLAs (critical: 24 hours, high: 7 days, medium: 30 days).

4. Encryption

• In transit: TLS 1.2+ for all external traffic, with HSTS and certificate pinning where applicable. Internal service-to-service traffic uses mutual TLS.
• At rest: AES-256 for primary database storage, object storage and backups. Keys are managed via the cloud provider’s KMS, with rotation on a documented schedule and audit logging on every key use.
• Secrets: application secrets are stored in a managed secrets vault and never written to source control or logs.

5. Access control

• Identity: single-sign-on with multi-factor authentication is required for all employee access to production systems. Customer-facing SSO and SCIM are available for Enterprise plans.
• Least privilege: production access is role-based and granted only for specific job functions. Standing access to Customer Data is minimised; just-in-time elevation, with reason codes, is required for break-glass operations.
• Audit: every privileged action is logged, signed and retained for at least 12 months.

6. Software development lifecycle

• All code changes go through pull-request review by at least one other engineer.
• Static-analysis (SAST), software composition analysis (SCA) and secret scanning run on every commit and block merges on a high-severity finding.
• Pre-production environments mirror production controls. Production deploys are gated, observable and reversible.
• Threat-modelling sessions are run for new product surfaces and major architectural changes.

7. Monitoring and detection

• Application logs, infrastructure logs and audit trails are centralised and retained for at least 12 months.
• Anomaly detection on authentication, privilege escalation, data egress and integration error rates feeds into our on-call rotation.
• We run tabletop exercises at least annually for the most likely Incident classes (account takeover, Sub-processor compromise, ransomware on a developer endpoint).

8. Incident response

• 24x7 on-call rotation with documented escalation paths.
• A confirmed Incident triggers an internal severity classification within 1 hour, and a Customer-facing notification within timelines required by law and our contracts. For DPDP Act-reportable Personal Data Breaches, we notify affected Customers and the Data Protection Board promptly and in any case within 72 hours of detection.
• Every Incident is followed by a written post-mortem with root-cause analysis and corrective actions, shared with affected Customers on request.

9. Backups and disaster recovery

• Production databases are backed up at least daily, with point-in-time recovery for the past 30 days.
• Backups are encrypted, stored in a separate region within India and tested by restore drills at least quarterly.
• Documented recovery objectives, RPO of 1 hour or less and RTO of 4 hours or less for the core Service, are validated on each drill.

10. Sub-processor management

We perform documented security and privacy due diligence on every Sub-processor before engagement, and re-assess at least annually. Sub-processors are bound by written agreements that include confidentiality, security and breach-notification obligations no less protective than ours. The current Sub-processor list is published at /legal/sub-processors and is also available on request from security@onefinops.com.

11. People security

• Background checks are run on all employees and contractors with access to production systems, where permitted by law.
• Acceptable-use, confidentiality and security training are mandatory at onboarding and on an annual recurring schedule.
• All employees sign confidentiality and IP-assignment agreements as a condition of employment.

12. Certifications and assessments

OneFinOps is in the process of completing its first SOC 2 Type II audit and ISO/IEC 27001 certification. Independent penetration testing is performed at least annually and after material changes to the platform; reports are available to Enterprise Customers under NDA.

A current status of certifications and recent assessments can be requested from security@onefinops.com.

13. Customer responsibilities

Security is a shared responsibility. Customers are responsible for:

• Configuring strong authentication for their own Users (SSO + MFA recommended; mandatory for admin roles on all plans).
• Managing User lifecycle: provisioning on hire, deprovisioning on departure, periodic access review.
• Protecting their API keys and OAuth tokens, and rotating them at least every 90 days.
• Configuring data-export and retention policies appropriate to their regulatory environment.

14. Responsible disclosure

We welcome reports from the security research community.

• Email: security@onefinops.com
• PGP: public key available on request.

In your report, please include a clear description, reproduction steps, the affected URL or endpoint, and any proof-of-concept material. We will acknowledge within 2 working days, share an initial triage decision within 5 working days, and keep you updated through remediation.

We commit not to pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, destruction of data and disruption of the Service.
• Work with us to give us reasonable time to investigate and remediate before any public disclosure.
• Do not exfiltrate Customer Data beyond what is necessary to demonstrate the issue.

We do not currently offer monetary bounties, but acknowledge significant reports in our hall of fame and via Customer-facing release notes.