Security Policy

Last Updated: February 17, 2026

At BloomXpe Services Pvt Ltd ("BloomXpe"), security is at the core of everything we do. As a payment orchestration platform handling sensitive financial data, we implement comprehensive security measures that meet and exceed industry standards. This policy outlines the security practices we employ to protect our merchants, their customers, and our infrastructure.

1. Compliance and Certifications

  • PCI DSS Level 1: We maintain Payment Card Industry Data Security Standard Level 1 compliance, the highest level of certification available, validated through annual audits by a Qualified Security Assessor (QSA)
  • ISO 27001: Our Information Security Management System (ISMS) is certified to ISO 27001:2022 standards
  • RBI Guidelines: We comply with all Reserve Bank of India guidelines for payment aggregators and intermediaries
  • SOC 2 Type II: We undergo annual SOC 2 Type II audits covering security, availability, and confidentiality

2. Data Encryption

2.1 Data in Transit

All data transmitted to and from our platform is encrypted using TLS 1.3 with strong cipher suites. We enforce HTTPS across all endpoints and API communications. Certificate pinning is available for mobile SDK integrations.

2.2 Data at Rest

Sensitive data stored in our databases is encrypted using AES-256 encryption. Payment card data is tokenised and stored in PCI-compliant vaults. Encryption keys are managed using hardware security modules (HSMs) with regular key rotation.

3. Infrastructure Security

  • Our infrastructure is hosted on enterprise-grade cloud platforms with SOC 2 and ISO 27001 certifications
  • Network segmentation isolates production environments from development and staging
  • Web Application Firewall (WAF) protects against common web vulnerabilities (OWASP Top 10)
  • DDoS protection with automated traffic analysis and mitigation
  • Intrusion Detection and Prevention Systems (IDS/IPS) monitor all network traffic
  • Regular vulnerability scanning and patch management

4. Application Security

  • Secure Software Development Lifecycle (SSDLC) with security reviews at every stage
  • Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) in CI/CD pipelines
  • Regular third-party penetration testing by CERT-IN empanelled auditors
  • API security with rate limiting, input validation, and authentication tokens
  • Content Security Policy (CSP) headers and other security headers on all responses

5. Access Control

  • Role-Based Access Control (RBAC) with the principle of least privilege
  • Multi-factor authentication (MFA) required for all internal access and merchant dashboard
  • SSH key-based authentication for server access with no password-based login
  • Privileged Access Management (PAM) for administrative operations
  • Regular access reviews and prompt deprovisioning of former employees

6. Monitoring and Incident Response

  • 24/7 Security Operations Centre (SOC) with real-time monitoring and alerting
  • Comprehensive audit logging of all system access, API calls, and administrative actions
  • Security Information and Event Management (SIEM) for threat detection and correlation
  • Documented Incident Response Plan with defined escalation procedures
  • Incident classification, containment, eradication, and recovery procedures
  • Post-incident review and lessons-learned process

7. Business Continuity and Disaster Recovery

  • Multi-region deployment with automatic failover capabilities
  • Real-time data replication across geographically distributed data centres
  • Recovery Point Objective (RPO) of less than 1 minute
  • Recovery Time Objective (RTO) of less than 15 minutes
  • Regular disaster recovery drills and business continuity testing

8. Vendor Security

We conduct thorough security assessments of all third-party vendors and payment gateway partners before integration. Ongoing monitoring ensures that our partners maintain acceptable security standards. All vendor agreements include data protection and security requirements.

9. Employee Security

  • Background verification for all employees with access to sensitive systems
  • Mandatory security awareness training during onboarding and annually
  • Simulated phishing exercises to test and improve security awareness
  • Clean desk and clear screen policies
  • Confidentiality and non-disclosure agreements for all staff

10. Responsible Disclosure

We welcome security researchers to responsibly report vulnerabilities. If you discover a security issue, please report it to bloomxpe@gmail.com. We commit to:

  • Acknowledging reports within 24 hours
  • Providing regular updates on the remediation progress
  • Not pursuing legal action against researchers acting in good faith
  • Crediting researchers who help improve our security (with their permission)

11. Contact

For security-related inquiries or to report a vulnerability:

BloomXpe Services Pvt Ltd
INDIA
Email: bloomxpe@gmail.com
WhatsApp: Chat on WhatsApp ยท Telegram: @bloomxpe