Customer identity data is the most sensitive thing you hold. BASEKYC encrypts it at the field level, masks Aadhaar by default, isolates every tenant, and logs every access — security designed from the ground up for RBI V-CIP and the DPDP Act.
Sensitive fields — names, dates of birth, phone numbers, PANs, geolocation and biometric scores — are encrypted with AES-256-GCM at the application layer before they ever touch the database, so a leaked backup or compromised disk reveals nothing. Searchable fields use one-way hashes for lookups without decryption. Aadhaar is masked to the last four digits by policy. Every tenant's data is logically isolated, access is gated by role, and optional IP allowlisting locks the portal to known networks. Consent is captured against versioned templates so you can always prove exactly what a customer agreed to, and an immutable audit log records who touched what and when. The result is a platform where data protection is the default state, mapped directly to the obligations under the RBI KYC Master Direction and India's Digital Personal Data Protection Act.
Names, DOB, phone, PAN, geolocation, liveness data and biometric scores are encrypted with AES-256-GCM in the application before storage. Searchable fields carry SHA-256 hash columns so the platform can look up records without ever decrypting the underlying value.
In line with UIDAI guidance, only masked Aadhaar — last four digits visible — is captured, stored and displayed. The full number is never persisted, removing a major data-minimisation and liability risk by design.
Every bank, NBFC or partner is a fully isolated tenant; data, reports and exports are scoped so one tenant can never see another's customers. Six granular roles — from agent to compliance officer — enforce least-privilege access at the route level.
Restrict portal access to your office, VPN or data-centre ranges with per-tenant IP allowlists. Sessions from outside the trusted set are blocked, adding a network-layer control on top of authentication for staff-facing access.
Customers consent against versioned, tenant-configurable templates — video recording, masked-Aadhaar policy, agent disclosure and data sharing. Every acceptance is recorded with the exact template version so you can always prove what was agreed.
Every meaningful action — logins, data access, decisions, exports — is logged with user identity, session and tenant context and a timestamp, giving compliance teams a complete, tamper-evident trail for inspections and breach investigations.
All traffic — customer journey, agent portal and APIs — is served over TLS, and API responses carry no-store cache headers so sensitive payloads are never cached by intermediaries or CDNs.
Before data is written, sensitive fields are encrypted with AES-256-GCM and indexed via one-way hashes. Documents and recordings live in access-controlled storage, scoped per tenant.
Role-based permissions, tenant scoping and optional IP allowlists decide who can reach the data, while the audit log records every access — so authorisation and accountability are always provable.
The Digital Personal Data Protection Act, 2023 requires lawful, consent-based and purpose-limited processing of personal data. Versioned consent capture, Aadhaar masking, field-level encryption and tenant-scoped access map directly to the Act's consent, data-minimisation and security-safeguard duties of a Data Fiduciary.
RBI's directions on IT governance and cyber security require strong access control, encryption of sensitive data and comprehensive logging. Role-based access, IP allowlisting, encryption at rest and an immutable audit trail are built to satisfy these controls for regulated entities and their service providers.
UIDAI regulations restrict the storage and display of full Aadhaar numbers. By capturing and showing only masked Aadhaar, the platform keeps regulated entities on the right side of Aadhaar data-handling rules without extra configuration.
For institutions with strict data-sovereignty requirements, BASEKYC supports on-premise and in-region deployment so customer recordings and documents stay within your own infrastructure — complementing the platform's encryption and access controls.
Field Encryption at Rest
Searchable Hash Index
Encryption in Transit
Aadhaar by Default
Granular RBAC
Isolation & IP Allowlist
Consent Templates
API Cache Headers
Banks handle the most sensitive customer data — encryption, masking and audit logging keep V-CIP onboarding compliant and breach-resistant.
IRDAI-regulated insurers need verifiable consent and secure handling of policyholder identity and health-adjacent data across the policy lifecycle.
Onboarding NRIs and overseas customers raises data-residency and consent questions that encryption, tenant isolation and deployment choice help answer.
What the Digital Personal Data Protection Act means for video KYC — consent, data minimisation, retention and the obligations it places on regulated entities.
When to choose self-hosted video KYC, how data residency requirements shape deployment, and the trade-offs between cloud and on-premise.
How to structure immutable audit logs for V-CIP sessions, manage retention periods, and prepare for regulatory inspections with confidence.
See how field-level encryption, masking, tenant isolation and immutable audit logs keep your KYC data protected and your compliance team confident.