Push-button GSTR-1, 3B and 2B reconciliation. Sync your books in 2 minutes.Get started →

GSTFiler.

FeaturesBenefitsSecurityFAQContact
Sign inRequest access
Security

Compliance-grade software, by default.

What we do to keep your books, returns, and audit trail safe — with details, not buzzwords. Where we are still working towards a certification, we say so plainly.

Data residency

India only

Encryption

TLS 1.3 + AES-256

GSTN channel

Whitebooks GSP

Audit trail

Every change

How we secure your data

Six pillars, audited continuously.

Each pillar is reviewed quarterly by our security panel and refreshed when threat models change.

Encrypted in transit and at rest

TLS 1.3 for every API call. AES-256 for data on disk. Database backups encrypted with separate keys, rotated quarterly.

Hosted in India

All data — GSTINs, returns, books, audit logs — stored in Mumbai (ap-south-1). No data leaves Indian borders for storage or processing.

GSTN-approved channel

Connections to GSTN go through Whitebooks GSP — a NIC-approved partner. Your portal password never leaves your hands.

Role-based access controls

Per-user permissions: filer, reviewer, viewer. Per-client scoping for CA practices. SSO (SAML / Google Workspace) on the enterprise plan.

Immutable audit trail

Every read, write, login and filing event is logged with actor, timestamp, IP, and old-vs-new values. Exportable as CSV the moment a notice arrives.

Secrets handling

GSTN session tokens stored server-side only and rotated per request. Database credentials in a managed secret store, never in code or logs.

Compliance & certifications

Where we stand today.

We say "in progress" when we mean it — no badges we haven't earned.

In progress

SOC 2 Type II

Audit currently in observation period (FY 2026 Q3 target).

In progress

ISO 27001

Information security management system; certification target FY 2027 Q1.

Compliant

IT Act 2000 + DPDP Act 2023

Indian data-protection statutes — data residency, lawful processing, consent.

Compliant

GST CGST Rules

Returns, registers, audit-trail retention as required by Section 35 and Rule 56.

Day-to-day practices

What we actually do, every day.

Least-privilege access

Every team member gets the minimum role needed for their job. Quarterly access reviews.

Secure development

Peer code review on every PR, automated SAST in CI, Dependabot for dependency CVEs.

Incident response

Documented runbook, on-call rotation, customer notification within 72 hours of confirmed breach.

Daily encrypted backups

Point-in-time recovery for the last 30 days. Restored to a parallel environment monthly to verify integrity.

No 3rd-party tracking on console

No analytics SDKs, no session replays, no behavioural cookies inside the authenticated app.

Phishing-resistant signin

TOTP / WebAuthn (passkeys) supported on all plans. Plain-password-only signin can be disabled at the workspace level.

Responsible disclosure

Found a vulnerability? Tell us.

Email support@octetlogictech.com with details. We respond within 24 hours (working days, IST) and run a documented coordinated-disclosure process. Researchers acting in good faith receive public credit and a thank-you bounty.

PGP fingerprint available on request.

Email security

Start with one GSTIN. File before month-end.

Drop us a line. We'll have you live in days, not weeks.

Request access Talk to sales