1. Our Commitment
E Building handles sensitive financial and personal data for thousands of Indian families. We treat data security as a core product responsibility, not a compliance checkbox.
- All data stored in India (AWS Mumbai region) — data sovereignty by default
- No data sold or shared for advertising purposes
- End-to-end encryption for all sensitive data in transit and at rest
- Annual third-party security assessments
2. Data Encryption
- All data in transit is encrypted using TLS 1.3
- Sensitive fields (PAN, Aadhaar references, bank details) are encrypted at rest using AES-256
- API keys and credentials are stored in encrypted vaults, never in source code
- Database backups are encrypted and stored in a separate AWS region (ap-south-2)
3. Access Controls
- Role-based access control (RBAC): Committee admins, guards, residents, and vendor partners each see only the data their role requires
- Multi-factor authentication: Mandatory MFA for all E Building employee accounts and all society admin accounts. Optional (encouraged) for all resident accounts
- Principle of least privilege: All internal service accounts follow least-privilege principles
- Audit logging: Every data access, login event, admin action, and permission change is logged with timestamp, user ID, and IP address. Logs retained for 1 year
- Employee access: E Building employees can only access production data for support purposes, with full audit trail. Access requires manager approval and expires after 4 hours
- Offboarding: All access revoked within 1 hour of employee departure
4. Security Reviews & Testing
- Annual third-party security assessment: We engage an independent security firm to assess our infrastructure, codebase, and processes annually
- Penetration testing: Conducted annually by certified external testers on our web application, APIs, and mobile apps
- Code security reviews: All code changes go through automated static analysis (SAST) and dependency vulnerability scanning before deployment
- Dependency management: Automated weekly scans for known vulnerabilities. Critical CVEs patched within 24 hours
- Security training: All E Building engineers complete security awareness training during onboarding and annually thereafter
We are currently working towards formal ISO 27001 certification. SOC 2 Type II assessment is planned for Q4 2026.
5. Backups & Disaster Recovery
- Automated daily backups: Full database backups taken daily, stored encrypted in a separate AWS region with 30-day retention
- Point-in-time recovery: Database transaction logs enable restoration to any point within the last 7 days
- Disaster recovery testing: We test our full recovery process quarterly. RTO: 4 hours. RPO: 1 hour
- No data loss migration guarantee: Our society migration process uses dual-write with automated checksums before cutover
6. Security Incident Response
We maintain a documented security incident response plan with defined roles, escalation procedures, and communication templates.
- Detection: Automated alerting on anomalous access patterns, failed authentication, and data access anomalies
- Containment: On-call security team available to isolate and contain incidents within 1 hour of detection
- Notification: Affected users notified within 72 hours of a confirmed data breach, as required by the DPDP Act 2023
- Post-incident review: All incidents documented. Root cause analysis completed within 7 days.
- Regulatory reporting: Data breaches reported to the Data Protection Board of India within required timeframe
7. Compliance
- Digital Personal Data Protection Act, 2023 (DPDP Act): We operate as a Data Fiduciary. Data localisation (India-only), consent management, and data principal rights are built into our platform
- GST and IT Act compliance: Our billing and payment systems comply with Indian GST requirements and the Information Technology Act, 2000
- PCI-DSS: Payment card data handled exclusively by PCI-DSS Level 1 certified partners. E Building does not store, process, or transmit raw card data
- Employment data: Background verification processes comply with applicable data protection and employment law in India
8. Responsible Disclosure
We welcome security researchers who responsibly disclose vulnerabilities. If you believe you have found a security vulnerability in E Building, please:
- Email us at support@ebuilding.in with “Security Disclosure” in the subject line
- Provide a clear description of the vulnerability and steps to reproduce
- Give us reasonable time to investigate and patch before public disclosure
We commit to: acknowledging reports within 48 hours, keeping you informed of our investigation progress, not pursuing legal action against good-faith researchers who follow this process.
In scope: ebuilding.in website, app.ebuilding.in, E Building mobile apps (Android/iOS), and E Building APIs. Out of scope: Third-party services, denial of service attacks, and social engineering attacks.
9. Security Contact
Privacy Policy · Terms of Service · Refund Policy · Cookies Policy