Security · posture, not slogans
What stands between your data and trouble.
Most security pages are wishful. This one is what's actually in place today and what's planned next, with dates — in plain words.
How your data is locked
- On our servers: each shop's data is kept separate and locked with its own key. Two shops never share a key, so even if one shop's key were somehow exposed, no other shop is touched.
- On the way there and back: every connection — your phone to us, and us to your phone — is scrambled in transit. There is no unprotected shortcut it can fall back to.
- For backups: backups have their own separate set of keys, changed every three months. Even restoring a backup is a logged event someone can see later.
Who can get in
- Inside the app: each role — owner, manager, worker, family — sees only what it needs. Workers don't see your margins by default. Family members don't see staff pay. You set this per shop.
- Our own team: our access to your live data is limited, logged, and time-limited — no standing all-access logins. Every time anyone on our side opens your data, a record is written. Engineers included.
- Outside services: anything you connect gets only what you grant it, and you can cut it off from your shop's settings.
A record of everything
Every change that matters — a bill made, a draft approved, a user added, a role changed, an export taken — writes a record, stamped with who did it and when, and built so it can't be quietly altered after the fact. You can export the whole trail whenever you want, and we keep it for the 8 years the law requires.
Signing in
- Phone-number OTP is the normal way shop users sign in. A password backup is optional.
- An extra check is required for the owner, and for anyone exporting financial data.
- A sign-in expires after 30 days of no use. You can sign out any other device from a device you're on.
- A sign-in from a new phone or a new place triggers an extra check on the spot and a heads-up to the owner.
One shop can never see another
A core decision: no two shops share a database, a key, or a list. There is no single master table where a clever query could reach across shops. Pia genuinely can't see from one shop into another — not because we ask it nicely, but because it's built so it can't.
We don't train AI on your shop's data without a written, separately-given yes. That opt-in is never bundled with getting a feature. See privacy and DPDPA 2023.
If something goes wrong
- We notice. We watch for odd sign-ins, unusual bursts of writing, signs of data being pulled out, and system health around the clock.
- We size it up. How serious it is gets judged against a written checklist within 30 minutes of spotting it.
- We contain it. Affected parts go offline, keys get changed, sign-ins get cut — as far as the severity calls for.
- We tell you. Affected shops are contacted within 24 hours of confirmed impact. Anything serious is reported to the Data Protection Board of India within 72 hours, as the law requires.
- We explain. A public write-up follows within 14 days for any incident that hit more than one shop, linked from the status page.
Found a hole? Tell us
Found a security problem? Email founder@hey-pia.com with the subject “Security disclosure.” We commit to:
- Replying within 24 hours.
- Confirming how serious it is and our plan to fix it within 5 working days.
- Crediting you publicly, if you'd like, once the fix is out.
- Not coming after good-faith security research that follows reasonable disclosure norms.
We don't run a paid bug-bounty yet. We do honour every responsibly-disclosed finding with a real acknowledgment and, where it's earned, a reward of our choosing.
What we're building next
- SOC 2 Type I — an independent audit of our security controls; scoping underway, targeted for Q4 2026.
- ISO 27001 — a further security-management standard; scoped after SOC 2, targeted for 2027.
- Hardware-key sign-in for the owner — on the roadmap for Q3 2026.
- An extra device confirmation for risky actions — in design now.
What you can do today
- Turn on the extra sign-in check for every owner login.
- Review your team's roles in Settings — remove access for anyone who no longer needs it.
- Take an export every quarter. Even if you trust us, an offline copy is a good thing for any careful CA to have.