Feature

Data Security & Compliance

Customer identity data is the most sensitive thing you hold. BASEKYC encrypts it at the field level, masks Aadhaar by default, isolates every tenant, and logs every access — security designed from the ground up for RBI V-CIP and the DPDP Act.

Overview

Secure by Design, Not by Add-On

Sensitive fields — names, dates of birth, phone numbers, PANs, geolocation and biometric scores — are encrypted with AES-256-GCM at the application layer before they ever touch the database, so a leaked backup or compromised disk reveals nothing. Searchable fields use one-way hashes for lookups without decryption. Aadhaar is masked to the last four digits by policy. Every tenant's data is logically isolated, access is gated by role, and optional IP allowlisting locks the portal to known networks. Consent is captured against versioned templates so you can always prove exactly what a customer agreed to, and an immutable audit log records who touched what and when. The result is a platform where data protection is the default state, mapped directly to the obligations under the RBI KYC Master Direction and India's Digital Personal Data Protection Act.

Key Highlights

  • Field-level AES-256-GCM encryption of all sensitive customer data at rest
  • Masked Aadhaar by default — only the last 4 digits ever stored or shown
  • Per-tenant isolation with role-based access control across 6 roles
  • Per-tenant IP allowlisting to restrict access to trusted networks
  • Versioned consent capture and an immutable, fully-attributed audit log

Capabilities

What You Can Do

Field-Level Encryption

Names, DOB, phone, PAN, geolocation, liveness data and biometric scores are encrypted with AES-256-GCM in the application before storage. Searchable fields carry SHA-256 hash columns so the platform can look up records without ever decrypting the underlying value.

Aadhaar Masking

In line with UIDAI guidance, only masked Aadhaar — last four digits visible — is captured, stored and displayed. The full number is never persisted, removing a major data-minimisation and liability risk by design.

Tenant Isolation & RBAC

Every bank, NBFC or partner is a fully isolated tenant; data, reports and exports are scoped so one tenant can never see another's customers. Six granular roles — from agent to compliance officer — enforce least-privilege access at the route level.

IP Allowlisting

Restrict portal access to your office, VPN or data-centre ranges with per-tenant IP allowlists. Sessions from outside the trusted set are blocked, adding a network-layer control on top of authentication for staff-facing access.

Versioned Consent Capture

Customers consent against versioned, tenant-configurable templates — video recording, masked-Aadhaar policy, agent disclosure and data sharing. Every acceptance is recorded with the exact template version so you can always prove what was agreed.

Immutable Audit Logging

Every meaningful action — logins, data access, decisions, exports — is logged with user identity, session and tenant context and a timestamp, giving compliance teams a complete, tamper-evident trail for inspections and breach investigations.

Defence in Depth

01

Encrypt in Transit

All traffic — customer journey, agent portal and APIs — is served over TLS, and API responses carry no-store cache headers so sensitive payloads are never cached by intermediaries or CDNs.

02

Encrypt at Rest

Before data is written, sensitive fields are encrypted with AES-256-GCM and indexed via one-way hashes. Documents and recordings live in access-controlled storage, scoped per tenant.

03

Control & Account for Access

Role-based permissions, tenant scoping and optional IP allowlists decide who can reach the data, while the audit log records every access — so authorisation and accountability are always provable.

Compliance

Mapped to Indian Regulation

DPDP Act — Data Minimisation & Consent

The Digital Personal Data Protection Act, 2023 requires lawful, consent-based and purpose-limited processing of personal data. Versioned consent capture, Aadhaar masking, field-level encryption and tenant-scoped access map directly to the Act's consent, data-minimisation and security-safeguard duties of a Data Fiduciary.

RBI Master Direction on IT Governance

RBI's directions on IT governance and cyber security require strong access control, encryption of sensitive data and comprehensive logging. Role-based access, IP allowlisting, encryption at rest and an immutable audit trail are built to satisfy these controls for regulated entities and their service providers.

UIDAI Aadhaar Data Handling

UIDAI regulations restrict the storage and display of full Aadhaar numbers. By capturing and showing only masked Aadhaar, the platform keeps regulated entities on the right side of Aadhaar data-handling rules without extra configuration.

Data Residency & On-Premise Options

For institutions with strict data-sovereignty requirements, BASEKYC supports on-premise and in-region deployment so customer recordings and documents stay within your own infrastructure — complementing the platform's encryption and access controls.

Specifications

Technical Specifications

AES-256-GCM

Field Encryption at Rest

SHA-256

Searchable Hash Index

TLS

Encryption in Transit

Masked

Aadhaar by Default

6 Roles

Granular RBAC

Per-Tenant

Isolation & IP Allowlist

Versioned

Consent Templates

No-Store

API Cache Headers

Related Use Cases

Further Reading

Security That Passes the Audit

See how field-level encryption, masking, tenant isolation and immutable audit logs keep your KYC data protected and your compliance team confident.