Security & Trust

Your data belongs
to you.

To claim a grant you have to share real business information — revenue, registrations, documents. We know that requires trust. This page answers the two questions we hear most from CAs and founders:

  • 01Why should I trust BenefitStack with my company's information?
  • 02How is that information kept safe and who can see it?
01

Why trust BenefitStack?

Our business model is aligned with yours, not against it. We charge a flat fee for work performed — filing assistance, document review, CA assignment. We do not earn a percentage of whatever you receive. We do not earn anything by selling or sharing your data. There is no financial incentive for us to misuse what you share.

We are an incorporated entity with legal accountability. BenefitStack is operated by Ventuno Technologies (P) Ltd., a company registered in Chennai, Tamil Nadu under the Companies Act. We are subject to Indian law including the Information Technology Act, GST regulations, and applicable data protection requirements. Our legal contact is public and reachable.

Our infrastructure partners have independent, audited certifications. We do not build our own data centre or write our own authentication system. We use Supabase and Vercel — both of which hold SOC 2 Type II certifications issued by independent auditors. You inherit those guarantees.

We are transparent about what we collect and why. This page and our Privacy Policy explain in plain language exactly what data is collected, where it goes, who can see it, and how long we keep it. If anything here is unclear, email us at legal@benefitstack.in.

02

What we collect and why

We collect only what is necessary to match your business against government scheme eligibility criteria. Nothing more.

Business identity
  • Company name, type, stage
  • GSTIN, CIN, Udyam / PAN
  • State, sector, employee count
  • Revenue band
Scheme eligibility depends on these fields — most schemes filter on sector, stage, or registration type.
Founder details
  • Founder names and roles
  • Email address for account login
  • Phone for OTP verification
Needed for account security and to send case updates. We do not share founder contact details.
Documents (optional)
  • GST certificate, ITR
  • Incorporation certificate
  • Audited financials
Only if you upload them. Used for KYC verification and pre-filling application fields. Stored encrypted in your private vault.
What we never collect
  • Bank account or card numbers
  • Cap table or equity details
  • Employee salary data
  • Passwords (hashed by auth layer)
Payment details go directly to Razorpay. We have no reason to hold them and we do not.
03

Who can see your data

By default, only you. Access is extended to others only with your explicit action.

WhoCan seeCannot see
You
Everything in your account — profile, documents, reports, case history
Other companies' data (fully isolated at database level)
CA professionals
Only the case you assigned to them: your profile summary and case-specific documents
Your full document vault, other cases, payment details, or other companies they are not assigned to
Partners / incubators
Your scheme eligibility summary — only if you registered via their invite link
Uploaded documents, CA case communications, or payment information
BenefitStack team
Anonymised usage metrics and system health data. Individual account data only when you raise a support ticket — and only the fields needed to resolve it
Your uploaded documents or vault without an explicit support request from you
Third parties
Razorpay (payments only, never your company data), Supabase (infrastructure only, no application-level access), Vercel (hosting only)
None of these partners have access to your scheme eligibility data, profile, or documents. We do not sell or share data for advertising.
CA access works per-case, not per-account. When you engage a CA for a specific scheme, they see only the documents uploaded for that specific case. A CA cannot access your full document vault or view any case they were not explicitly assigned to.
04

How data is stored and protected

BenefitStack is built on infrastructure that holds its own independent security certifications. You inherit those guarantees without taking our word for it.

Supabase (database + file storage)
SOC 2 Type II
All profile data, documents, scheme results, and case history. Backed by AWS ap-south-1 (Mumbai) — your data stays in India. Supabase enforces Row Level Security (RLS) at the database engine level, meaning the isolation between companies is not app-level logic that can have bugs — it is a constraint enforced by PostgreSQL itself.
Vercel (hosting + edge network)
SOC 2 Type II
Serves every page and API call. All traffic is encrypted in transit via TLS 1.2/1.3. Automatic HTTPS. No plaintext connections are accepted anywhere in the stack.
Razorpay (payments)
PCI-DSS Level 1
Handles all payment processing. Card and bank account details go directly to Razorpay and never touch our systems. BenefitStack stores only transaction IDs and order status — enough to confirm payment, nothing that would be useful if stolen.
Data in transit
TLS 1.2/1.3 on every connection — browser to Vercel, Vercel to Supabase, Supabase to storage.
Data at rest
AES-256 encryption on all Supabase storage volumes, managed by AWS. Documents in your vault are served through per-file, server-signed URLs with a 5-minute expiry — knowing a storage path alone provides no access.
Row Level Security
Every table in the database has RLS enabled. A query run as your user cannot return another company's rows — even if there is a bug in application code. This is enforced by the database engine, not by us.
Authentication
Supabase Auth: industry-standard JWT sessions, secure cookie handling, OTP verification for sensitive actions. Passwords are never stored in plaintext — they are hashed by the auth layer before they ever reach our database.
Rate limiting
All sensitive endpoints (AI assessment, payments, KYC verification) are rate-limited per IP via Upstash Redis to prevent abuse.
Admin access
BenefitStack staff access to production data requires a named account in an allowlist. Every time an admin views a user record, the access is logged to an append-only audit table. Shared credentials do not exist.
For CA firms

If you recommend BenefitStack to a client, here is what they are agreeing to.

Your client creates an account, fills in their business profile, and gets a free eligibility report. That is the extent of what BenefitStack does without further action. No one at BenefitStack calls them. Their data is not shared with anyone.

If they engage a CA through the platform (which could be you), they explicitly confirm which CA is assigned to their case. The CA receives access only to what is needed for that specific scheme — not the whole account. That access is scoped and revocable.

You as a CA firm are not given a master view of all the clients you have helped. Each engagement is separate. Client A cannot see Client B's information even if you are the CA on both cases.

If a client asks "is my data safe on this platform?" you can share this page with them. If they have questions this page does not answer, we will respond directly at legal@benefitstack.in.

06

Common questions

Can BenefitStack see my uploaded documents?
Only if you raise a support ticket that requires it. In that case, a named staff member reviews only the document relevant to your issue. We log every such access. Routine use of the platform — eligibility scoring, report generation — does not require any human to read your files. It is processed by automated systems.
Do you share data with government portals?
Only during the application process, and only the fields that specific scheme or portal requires. We do not proactively share your profile with government systems. Nothing is submitted without your review and confirmation.
What happens to my data if I close my account?
We delete account data not subject to legal retention requirements within 30 days of a confirmed deletion request. Documents in your vault are purged within 30 days. Data we are legally required to retain (transaction records, GST-related data) is kept for up to 7 years as required by Indian law and then deleted. Email legal@benefitstack.in to request deletion.
Is my data stored in India?
The primary database and file storage run on Supabase's ap-south-1 region (AWS Mumbai). Application hosting and edge delivery run through Vercel's global network, but no application data is persisted outside the database — requests are processed at the edge but data at rest stays in Mumbai.
Has BenefitStack had a security breach?
We have not had a breach involving customer data. If a future breach occurs that affects your data, we will notify you by email within 72 hours of becoming aware of it, consistent with responsible disclosure practices.
Do you use my data to train AI models?
No. Your business data is used to run eligibility matching against scheme criteria. It is not used to train general AI models, shared with AI providers as training data, or retained beyond what is needed for your account.
Questions about security or data handling?

We will answer directly,
not with a template.

If you are a CA firm evaluating BenefitStack for your clients, or a company with specific questions about how your data is handled, email us. We respond to every question personally within 2 business days.

legal@benefitstack.inRead the full Privacy Policy →
Ventuno Technologies (P) Ltd. · Chennai, Tamil Nadu, India · CIN on file