Trust

Security at North

North handles your books, your GST data, your bank balances. We treat that data the way we'd want our own treated. This page describes how.

Last updated: 18 May 2026

How we think about security

North is operated by Finasa Lifestyle Private Limited. Our security posture is built around four pillars: isolate, encrypt, verify, and contain. Each is described below.

1. Architecture

North runs on a multi-tenant cloud architecture with strict per-organisation isolation. The application is built on:

  • Supabase for the application database (PostgreSQL), authentication, and file storage. Our primary region is Mumbai (ap-south-1), ensuring Indian data residency for the canonical store of your data.
  • Cloudflare for CDN, edge compute, DDoS protection, and bot mitigation.
  • Supabase Edge Functions (Deno runtime) for our serverless backend logic — the chat engine, OAuth handlers, compute pipelines.
  • Anthropic Claude and Google Gemini for AI inference. Only the minimum context needed to answer a query is sent to either provider; never your OAuth tokens, never your bank credentials, never your payment details.

2. Data isolation (multi-tenant)

1Row-Level Security on every table

Every table that holds customer data enforces PostgreSQL Row-Level Security. Reads and writes are bound to the authenticated user's organisation_id. A user from organisation A cannot read or write data of organisation B, even with a valid JWT.

2Server-side org derivation

Our chat function never trusts the organisation_id sent in a request body. It derives the organisation from the authenticated user's profile on the server, eliminating an entire class of cross-tenant injection attacks.

3Service-role keys never leave the server

The Supabase service_role key bypasses RLS by design. We treat it as a top-tier secret — used only inside Edge Functions, never shipped to the browser, rotated on a documented schedule.

3. Encryption

  • In transit — TLS 1.2+ on every request to any North endpoint, with HSTS enforced.
  • At rest — Database storage is encrypted by Supabase's underlying cloud provider (AES-256). Backups are encrypted.
  • Column-level for secrets — OAuth access and refresh tokens for Zoho, Tally, and Gmail are encrypted at the column level on top of disk encryption, using keys managed in Supabase Vault. Plaintext token columns are scheduled for removal after a documented bake-in period.
  • Payment data — handled by Razorpay (PCI-DSS Level 1 certified). We never see or store full card numbers or CVV codes.

4. Authentication & access control

  • Email + password authentication via Supabase, with password complexity requirements and rate-limited sign-in attempts.
  • Session tokens (JWTs) are short-lived and refreshed via secure rotation.
  • Enterprise customers can configure Single Sign-On (SSO).
  • Admin / dashboard access to North's own infrastructure is gated behind unique accounts, audit-logged, and (for production) requires hardware-key based 2FA where supported.
  • Least-privilege access by design. New engineers get scoped credentials; production access is a separate, audited grant.

5. Audit log & verifiability

Every AI-generated write to your connected accounting system (Zoho / Tally) is logged with:

  • The exact request the user made;
  • The AI's reasoning and confidence score;
  • The source document or summary used;
  • The user (or CA) who approved it;
  • Timestamps with one-click undo where reversible.

This trail is available to you in the Activity tab and is exported on request for audit purposes.

6. Application security

  • Per-organisation rate limits on the chat endpoint to prevent abuse and runaway billing.
  • Input validation on every Edge Function — request bodies are schema-checked before any database mutation.
  • SSRF protection on outbound HTTP from our backend.
  • Strict Content-Security-Policy headers on web pages.
  • Dependency scanning on every deploy to catch known CVEs.
  • Static analysis on TypeScript / SQL changes before merge.

7. AI safety & quality

Because our AI writes to your books, the cost of a hallucinated entry is real. We mitigate this with:

  • A pending writes queue — every Zoho-write goes into a draft state and is confirmed by you (or a CA) before it commits.
  • An output verifier — a second AI pass that flags unsupported claims; our launch posture is shadow-mode while we measure the false-positive rate, with a documented path to enforcement.
  • A test corpus of representative SMB queries that we run continuously to catch regressions.
  • Confidence scores and "data quality" caveats surfaced in the answer when inputs are incomplete.

8. Incident response

We follow a documented incident response procedure. On detection of a material security incident, we will:

  • Contain the incident within hours of detection;
  • Notify affected customers without undue delay (and within 72 hours of confirmation, where the DPDP Act or GDPR requires);
  • Publish a written post-mortem with root cause and remediation.

To report a security issue, email security@get-north.in. We aim to acknowledge within 24 hours.

9. Responsible disclosure

We welcome reports from security researchers. If you find a vulnerability, please email security@get-north.in with details and a proof-of-concept. We will:

  • Acknowledge within 24 hours;
  • Triage and respond with a timeline within 5 working days;
  • Credit you publicly (with your permission) once a fix is shipped.

Please test only against accounts you control. Do not access or modify other customers' data, do not perform denial-of-service testing, and do not publish vulnerabilities before we've shipped a fix.

10. Compliance roadmap

Our current posture is built on industry best practices but is not yet certified. We are working toward:

  • SOC 2 Type I — readiness assessment in progress;
  • ISO/IEC 27001 — gap analysis planned for FY 2026-27;
  • DPDP Act readiness — privacy policy, data residency, and grievance mechanism live (see Privacy Policy).

11. Subprocessors

We maintain a list of all subprocessors that may access personal data on our behalf. See the table in our Privacy Policy. We update this list at least 30 days before adding a new subprocessor that processes Customer Data.

12. Contact

Security issues: security@get-north.in

Privacy issues: privacy@get-north.in

General: hello@get-north.in