Security

We take your financial data seriously.

Security isn't a feature we ship โ€” it's how we build. Here's what we do to keep your money and data safe.

How we protect you

๐Ÿ”
AES-256 encryption at rest

Every database row, file, and backup containing personal data is encrypted with AES-256-GCM.

๐Ÿ”’
TLS 1.3 in transit

All traffic between the app and our servers uses TLS 1.3. We enforce HSTS and reject weaker cipher suites.

๐Ÿ›ก๏ธ
Zero credential storage

We never store payment credentials, UPI PINs, or card numbers. These are handled directly by Stripe and Razorpay under PCI DSS.

๐Ÿ‘๏ธ
Minimal data access

Production data access is granted on a least-privilege basis with mandatory MFA. Access is logged and audited.

๐Ÿ”
Regular pen testing

We commission independent penetration tests quarterly. Critical findings are remediated within 48 hours.

๐Ÿ“ก
Real-time threat monitoring

Anomalous login patterns, unusual API activity, and potential injection attacks are flagged and blocked in real-time.

Responsible disclosure programme

We welcome security researchers who help us keep SplitEase safe. If you discover a vulnerability, please disclose it responsibly and we'll work with you to fix it quickly.

Scope: All SplitEase iOS and Android apps, the splitease.app website, and the SplitEase API.

Out of scope: Social engineering attacks on staff, physical security, denial-of-service attacks, and issues in third-party dependencies that have already been publicly disclosed.

How to report: Email a detailed description, reproduction steps, and your contact information to hello@splitease.ai. Encrypt sensitive reports using our PGP key (fingerprint available on request).

Our response process

1
Report received

We acknowledge your report within 24 hours.

2
Triage & validate

Our security team validates the issue and assesses severity within 3 business days.

3
Remediation

Critical issues are patched within 48 hours. High within 7 days. Medium within 30 days.

4
Credit & disclosure

With your permission, we credit you in our Hall of Fame. Coordinated disclosure after the patch is live.

What we ask in return

  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service attacks or automated scanning at scale.
  • Do not publicly disclose the vulnerability before we've had a chance to fix it.
  • Act in good faith โ€” we will do the same.

We do not currently offer a paid bug bounty, but we will publicly acknowledge all valid reporters (with your consent) in our Security Hall of Fame.

Found a vulnerability?

Report it responsibly and we'll work together to make SplitEase safer.

hello@splitease.ai