Security & data ownership
Vasool handles borrower KYC, collections, and cash — so security is foundational, not a feature. Here's exactly how your data is protected, and what you control.
You own your data. We never store it centrally.
Each tenant's data lives in its own database on infrastructure you provide or designate — even a server in your own office. We provide the software; you hold the data. There is no shared, central store that a single breach could expose across lenders.
Data protection & isolation
Your borrowers' data stays yours — separated, encrypted, and on infrastructure you control.
Tenant data isolation
Each finance company runs in a completely separate database and storage. No tenant can reach another tenant's data under any circumstances.
You control the infrastructure
Data lives on servers you provide or designate. Vasool doesn't own or centrally store it — so one breach can never span multiple lenders.
Encrypted in transit
All communication is secured with TLS/SSL using industry-standard protocols, from the field app to the office dashboard.
Storage limits & monitoring
Per-tenant storage quotas with real-time usage monitoring keep resource use accountable and predictable.
Identity & access
Only the right people reach the right data — down to a single action.
JWT authentication
Short-lived access tokens with rotating refresh tokens. Every session is cryptographically signed and validated on each request.
Unified login
A single secure authentication gateway for admins and staff — fewer credential stores, a smaller attack surface.
Biometric login
Fingerprint and face-recognition unlock on the mobile app protects a field agent's device even if it is lost or stolen.
Role-based access control
Granular, custom roles per resource and action. Owners decide exactly what each staff role can view, create, edit, or delete.
Monitoring & resilience
Every change is recorded, and abuse is kept out.
Full audit trail
Every edit is tracked — who changed what, when, and from where — with complete entity-level history for compliance and disputes.
Bot & attack protection
Known crawlers, vulnerability scanners, and common attack paths are detected and blocked automatically.
Rate limiting
Per-endpoint limits defend against brute-force attempts, credential stuffing, and API abuse, keeping the service stable under load.
Distributed tracing
Full request tracing across services surfaces performance issues and suspicious patterns fast.
Being straight with you: Vasool gives you strong technical controls and full data isolation today. Formal certifications (SOC 2, ISO 27001) and RBI-aligned compliance modules (CKYC, credit-bureau reporting) are on our roadmap — Vasool supports your compliance, it doesn't replace your obligations as the lender.
Responsible disclosure
Found a security issue? Report it privately and we'll fix it fast. We acknowledge every report within 48 hours.
Please include a clear description, steps to reproduce, and any supporting evidence.