Trust & security
Built for the data a CA practice holds.
A practice holds its clients' PAN, Aadhaar, bank details, and returns. FirmsNest is built around that responsibility — India data residency, encrypted storage, tenant isolation enforced in the database, and an audit trail behind every action.
Data residency
Your clients' data stays in India.
Everything FirmsNest holds is hosted in an India region. Under the Digital Personal Data Protection Act, 2023, personal data is not transferred outside India — it is stored, processed, and backed up within the country, on India-resident infrastructure.
Data residency is not a setting you toggle. It is where the platform runs, by design.
India region, end to end
- Database, document storage, and backups all hosted in an India region.
- No personal data transferred outside India.
- Aligned with the residency expectations of the DPDP Act, 2023.
What we store & how
The sensitive bits are minimised or encrypted.
The most sensitive data a practice handles is the data we are most careful with — stored as little as possible, encrypted where it must be kept, and kept out of logs.
Aadhaar — last-4 only
We never store a full Aadhaar number. Only the last four digits are kept, for matching and reference, so the identifier that matters most stays out of the database.
Bank-account numbers — encrypted
Bank-account numbers are held in encrypted storage at rest. They are decrypted only when the firm needs them, never exposed in lists, logs, or audit records.
Documents — an encrypted vault
Books, returns, and supporting papers move through an encrypted document vault with working-paper visibility flags — secure document exchange, not file links over chat.
Audit logs — ids and amounts, not PII
The audit trail records what happened: identifiers and amounts, never personal-data strings. The record of an action stays clean of the personal data the action touched.
Tenant isolation
One firm can never see another firm's data.
Every firm's data is sealed off from every other firm's. Isolation is enforced at the database itself, through row-level security — every record is bound to its firm, and a query can only ever return that firm's rows.
It is not left to application code to remember. An automated isolation test verifies the rule holds, and that test must pass before any release ships.
Sealed at the database, checked before release
- Row-level security on every table binds each record to its firm.
- Isolation is enforced in the database, not only in application code.
- An automated isolation test must pass before any release ships.
Access & accountability
The right people, and a record of every action.
Inside a firm, access is scoped to a role, and everything that happens is written down — so the work is both controlled and accountable.
Role-based access
People see only what their role allows. A client sees their own engagement; a team member sees the work assigned to them — within their firm, and nowhere beyond it.
A complete audit trail
Actions and approvals are written to an immutable audit trail — who did what, and when. Draft sign-offs and document movements are all on the record.
Seven-year retention
Documents and audit records are retained for seven years, so an engagement stays searchable and defensible long after the season it belonged to has closed.
Payments
We never hold your clients' money.
Client payments flow firm ↔ client through the firm's own Razorpay account or UPI ID. FirmsNest is not a payment aggregator and never custodies client money — the funds go directly to the firm, and we take no cut of them.
Each firm connects its own Razorpay keys (encrypted at rest) or its UPI ID, used only on the server. The money never passes through us.
Shared responsibility
We are the software. You remain the advisor.
Security is a partnership, with a clear line between the two roles.
FirmsNest — the processor
FirmsNest is the software processor. We host the platform in an India region, keep data encrypted and isolated by firm, maintain the audit trail, and process the data only on the firm's instructions.
The firm — the controller
The CA firm is the controller of its clients' data and remains the professional advisor. It decides what is collected, manages who on its team has access, and owns the accounting, tax, and audit work itself. FirmsNest does not provide that advice.
Security questions about your firm's data?
We are happy to walk your team through how FirmsNest stores, isolates, and protects the data a practice holds. Write to us, or see it in a demo.