Loading
Loading
Last updated: 28 April 2026 · Aqryn Technologies · Applies to all products under finvyr.com
This page describes the technical and organisational security measures Aqryn Technologies has implemented to protect your data across all our Products. We believe you deserve to know exactly how your business data is stored, isolated, and protected — with no vague assurances.
Security is foundational to every product we build. Your business data — invoices, stock records, weighment data, financial records, client information — belongs to you and you alone. Aqryn Technologies treats data protection as a core engineering requirement, not an afterthought. This page explains the specific technical and organisational measures we have put in place to protect your data across all our Products: Finvyr™ Invoice, Stock, Weigh, Food, Agri, and Sell.
All Products run on a security-certified infrastructure stack: • Supabase — Database, authentication, and file storage. Supabase is SOC 2 Type II certified and ISO 27001 compliant. Data is hosted on AWS infrastructure in the ap-south-1 (Mumbai) region for Indian users, keeping your data within India. • Vercel — Application hosting and edge delivery. Vercel is SOC 2 Type II certified. • Cloudflare — DDoS protection, Web Application Firewall (WAF), and CDN. Cloudflare absorbs and filters malicious traffic before it reaches our servers. We do not run our own bare-metal servers. Our infrastructure providers maintain physical security, power redundancy, fire suppression, and hardware-level encryption.
Your data is encrypted at every layer: In Transit: All communication between your browser/app and our servers uses HTTPS with TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) so your browser always connects securely. Unencrypted HTTP connections are automatically redirected to HTTPS. At Rest: All data stored in our database is encrypted at rest using AES-256, managed by Supabase on AWS. File uploads (logos, attachments) stored in Supabase Storage are also encrypted at rest. Passwords: We never store passwords in plain text. Passwords are hashed using bcrypt with a sufficient cost factor, managed by Supabase Auth. Even our own team cannot read your password.
This is one of our most critical security properties. We use Supabase Row-Level Security (RLS) — a database-level access control mechanism that ensures every query is automatically filtered to return only the authenticated user's own data. What this means in practice: — No user can ever read, write, or access another user's invoices, records, clients, or any business data — even if they somehow obtained a valid session token. — Our own application code cannot accidentally expose cross-user data because the database itself enforces the isolation. — Even a bug in our application layer cannot bypass RLS — the database policy is the final guard. Your data is completely siloed from every other user on the platform at the database level.
Aqryn Technologies does not store, process, or handle any payment card data, bank account credentials, or UPI PINs — yours or your customers'. For your subscription payments to us: All transactions are processed by Razorpay (India) or Stripe (International), both of which are PCI DSS Level 1 compliant — the highest level of payment security certification. We receive only a payment status (success/failed) and a transaction reference ID. Card details never pass through our servers. For payments between you and your customers: The Products help you generate UPI QR codes or payment links that point directly to your own registered payment accounts (your UPI handle, your Razorpay account, your Stripe account). Money moves directly from your customer to you. Aqryn Technologies has no visibility into or access to these transactions at any point.
Account security features: — Email and password login with bcrypt-hashed password storage. — Magic link / OTP login via email (passwordless option) managed by Supabase Auth. — Session tokens are short-lived, rotated on every use, and invalidated on sign-out. — Failed login attempts are rate-limited to prevent brute-force attacks. — All sessions are bound to the originating device and invalidated if the account password changes. Our own team's access: — Production database access is restricted to a minimal set of authorised engineers. — All production access is logged and audited. — No Aqryn Technologies employee can read your passwords or payment card details under any circumstance. — Admin access to user data is available only for the purposes of customer support when explicitly requested by the account holder.
Our engineering practices include: — Input validation and sanitisation on all user-supplied data to prevent SQL injection, XSS (Cross-Site Scripting), and CSRF (Cross-Site Request Forgery) attacks. — Parameterised queries throughout — we never interpolate user input directly into database queries. — Content Security Policy (CSP) headers to prevent script injection. — Strict CORS (Cross-Origin Resource Sharing) policies restricting API access to our own domains. — Rate limiting on all public-facing API endpoints to prevent abuse and denial-of-service attempts. — Regular dependency audits to identify and patch known vulnerabilities in third-party libraries.
We make a clear, unconditional commitment: — We do not sell your data. Ever. To anyone. For any price. — We do not share your business data with advertisers, data brokers, or analytics resellers. — We do not use Google Analytics, Facebook Pixel, or any third-party behavioural tracking or advertising technology within the authenticated areas of our Products. — We do not build advertising profiles from your business data. — We do not use your business data (invoices, records, client names, financial figures) to train AI models or for any purpose other than providing the Product to you. Our business model is subscriptions — your data is not part of our revenue model.
Supabase performs automated daily database backups with point-in-time recovery (PITR) available. Backups are stored in geographically separate locations from primary data. In the event of a data loss incident caused by our infrastructure (not by your accidental deletion), we will restore from the most recent backup and notify affected users promptly. We recommend that you periodically export your own data using the CSV export features available in each Product as an additional safeguard. We cannot recover data that you have intentionally deleted from within the Product.
If we detect or become aware of a security incident affecting user data, we will: 1. Contain the incident immediately and assess the scope. 2. Notify affected users by email within 72 hours of confirmed breach discovery. 3. Notify relevant data protection authorities as required by applicable law (including India's DPDPA 2023 and GDPR where applicable). 4. Publish a post-incident report within 30 days explaining what happened, what data was affected, what we did, and what we are doing to prevent recurrence. We are committed to transparency in the event of any security incident. We will not suppress or downplay breach notifications.
We welcome reports from security researchers who discover vulnerabilities in our Products. If you believe you have found a security vulnerability, please disclose it responsibly: Email: support@finvyr.com Subject: "Security Vulnerability — [Brief Description]" Please include: — A description of the vulnerability and its potential impact. — Steps to reproduce the issue. — Your contact information for follow-up. We commit to: acknowledging your report within 2 business days, keeping you informed of our investigation progress, and not pursuing legal action against researchers who act in good faith. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity (typically 30 days) to investigate and deploy a fix.
Aqryn Technologies operates in compliance with: — Digital Personal Data Protection Act, 2023 (India) — DPDPA — Information Technology Act, 2000 (India) — Information Technology (Reasonable Security Practices and Procedures) Rules, 2011 — General Data Protection Regulation (GDPR) — for users in the European Economic Area — PCI DSS — through our payment processors Razorpay and Stripe (we ourselves are not a PCI merchant for card data) — Legal Metrology Act, 2009 — relevant to the Weigh product's record-keeping features We review and update our security practices regularly as regulations and threats evolve.
For security questions, vulnerability reports, or data protection inquiries: Email: support@finvyr.com Company: Aqryn Technologies, India We take all security communications seriously and aim to respond within 2 business days.
© 2026 Aqryn Technologies. All rights reserved. Finvyr Invoice · Stock · Weigh · Food · Agri · Sell are products of Aqryn Technologies, India.
