JavaScript is disabled. Some features may not work. You can also read the static version: View text version

Enterprise security and systems

Security a foremost priority at LotusPay. We began as a platform that manages our customers’ most extensive bank of confidential information – their financial data. Therefore, privacy and reliability have been at the core of our business since day one.

We strive to build a secure application with the highest standards for the confidentiality, integrity, and availability of data, while maintaining best-in-class performance. As an organisation, we work in accordance with security best practices to uphold the integrity of our customers' data. As a result, many banks and financial institutions trust LotusPay to protect their most sensitive assets. This document describes our systems and practices to ensure we provide the best possible enterprise-grade service to our customers.

Architecture

LotusPay is hosted on Amazon Web Services (AWS), which is designed to provide availability of 99.99%. LotusPay’s Application Server is hosted on Amazon EC2, our Content Server is hosted on Amazon S3, and our Database Server is built on Amazon Relationship Database Service (RDS). All of the servers are equipped with integrated failover and fault tolerance. The LotusPay service is hosted entirely in the India region, and LotusPay has multiple availability zones within India for redundancy.

LotusPay is built with a distributed architecture, where all services are contained within a protected Virtual Private Cloud (VPC) environment. Within the VPC, LotusPay services have individual security groups, and exclusively communicate though route tables in our subnet. All data in transit is secured with TLS 1.2 encryption. Data at rest is secured through Amazon's RDS and S3 services using AES 256-bit encryption. Bank account numbers are again encrypted at the field level. All API and client communication (web and mobile) require HTTPS connections.

Application Security

LotusPay is designed to reduce storage of NACH Debit details within your organisation, and as a result, helps reduce the risk footprint. Payment instrument content is one of the most sensitive assets within an organisation. Each time a mandate or transaction is created within your company, it becomes increasingly more difficult to audit and protect that instrument’s data. LotusPay helps alleviate that problem. With LotusPay, your team gets one copy of an instrument, instead of duplicate copies for every user, and sharing is replaced with real-time views.

In addition to NACH Debit data, LotusPay stores data from other communication channels such as sponsor banks, end customers and more. As such, administrators are able to consolidate and monitor omni-channel communications through one protected platform.

LotusPay’s administration console provides an intuitive interface which can be used for managing access control lists. All access to LotusPay requires authentication through username and password.

The LotusPay Teams feature allows for central administration of your entire business' NACH Debit data in LotusPay. Every team member using LotusPay can build individual settings and security, and businesses can delegate rights to specific team members. LotusPay’s admin console provides out-of-the-box analytics and reports. Comprehensive audit trails ensure that actions taken in LotusPay are logged and readily available to LotusPay administrators, giving us insights into the location of all your confidential information, at any time.

Security Controls

Access and control

Sensitive customer data is protected by a select group of individuals on our team. Sensitive administrative actions trigger notifications, which are monitored in real time, and actions are written to an immutable log. Audit logs track individual actions performed by users, as well as all server requests. Our employees undergo security training and testing as part of the standard employee on-boarding procedure, in addition to monthly security trainings. We handle sensitive data through our mature information security management system to minimise risk and proactively combat security breaches.

Software development

LotusPay’s development practices follow OWASP's guidelines, protecting against common attacks. The application source code is stored in a secured environment, where each change is peer reviewed. LotusPay uses technology to continuously monitor application repositories for third party vulnerabilities and performs continuous integration deployments, with built-in unit and full integration testing for both server and client code bases.

Incident response

LotusPay has a defined information security response program to detect, respond to incidents, and maintain business continuity. LotusPay uses technology to continuously monitor production servers and detect intrusions. These services are hosted independently from production systems. Alerts are sent through multiple redundant channels to multiple members of the incident response team.

Data privacy and durability

LotusPay has data in India only. Customers cannot dictate which geographic location their data is served out of. LotusPay adheres to OWASP Level 3 data security frameworks.

Business continuity plan

LotusPay has established procedures to recover service and maintain business continuity in the event of a disaster. The extensive business continuity plan is regularly tested and currently targets a recovery point objective of 4 hours, and a recovery time objective of 8 hours. Database backups are taken nightly, and content is redundantly copied to another location synchronously. Backups are tested every two weeks.

Information security management

LotusPay has a comprehensive and robust information security management system (ISMS) in place. It includes over 30 policies, including: information risk management, network security, access control, cloud security, supplier management and governance, software release, change management, information security roles, training, asset management, incident management, backup and disaster recovery, cryptographic key management, physical security, human resources, confidential information, patch management, firewall, vulnerability assessment, server monitoring and more. Regular training is imparted by the Chief Information Security Officer to all staff, and the policies are reviewed annually.

If you have any questions about LotusPay’s security and procedures, please contact support.