Security

How we keep your financial data safe and secure.

Our commitment: Your financial data is among the most sensitive information you have. We treat it with the highest level of care, using bank grade security practices to ensure it stays protected at every step.

Encryption

In Transit

All data transmitted between your browser and Lipic servers is encrypted using TLS 1.3. API calls, email connections, and file uploads are all protected with industry standard encryption.

At Rest

All stored data — including transaction records, uploaded documents, and account information — is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

Email Access Security

  • Read only access: Lipic requests only read permissions when connecting to your email. We cannot send, modify, or delete emails.
  • OAuth 2.0: We use OAuth 2.0 for email authentication. We never see or store your email password.
  • Selective processing: Only emails matching financial patterns (invoices, receipts, payment confirmations, bank notifications) are processed. Personal emails are never accessed.
  • Revocable anytime: You can disconnect your email from Lipic at any time, either from your Lipic settings or directly from your email provider.

Infrastructure

  • Hosted on enterprise grade cloud infrastructure with data centers in India.
  • Network isolation with private VPCs and strict firewall rules.
  • Automated backups with encryption, stored in geographically separate locations.
  • DDoS protection and web application firewall (WAF) active at all times.
  • 99.9% uptime SLA with redundant systems and automatic failover.

Access Controls

  • Role based access control (RBAC) for all internal systems.
  • Multi factor authentication (MFA) required for all team members.
  • Principle of least privilege — employees only have access to what they need.
  • Access logs are monitored and audited regularly.
  • All production access requires approval and is time bound.

Application Security

  • Regular penetration testing by independent security firms.
  • Automated vulnerability scanning in our CI/CD pipeline.
  • Dependency monitoring for known security vulnerabilities.
  • Secure coding practices enforced through code reviews and static analysis.
  • Input validation and parameterized queries to prevent injection attacks.

Data Handling

  • Financial emails are processed in real time — raw email content is not stored.
  • Only extracted transaction data (amounts, dates, vendors, categories) is retained.
  • Uploaded bank statements are processed and then encrypted at rest.
  • Account deletion triggers permanent removal of all data within 30 days (backups within 90 days).
  • Data export available at any time in standard formats.

Compliance

We are committed to meeting the highest standards of data protection and are actively working toward the following certifications:

  • SOC 2 Type II — Independent audit of our security controls (in progress).
  • ISO 27001 — Information security management system (planned).
  • DPDPA Compliance — Fully compliant with India's Digital Personal Data Protection Act.

Incident Response

In the unlikely event of a security incident:

  • We have a documented incident response plan with defined roles and escalation paths.
  • Affected users will be notified within 72 hours of confirmation.
  • A detailed incident report will be shared with impacted customers after resolution.
  • Corrective measures will be implemented and verified before the case is closed.

Responsible Disclosure

If you discover a security vulnerability, we encourage responsible disclosure. Please report it to security@lipic.in. We take all reports seriously and will respond within 48 hours.

Questions?

For any security related questions or concerns, reach out to us at security@lipic.in or visit our Contact page.