L
Lineage
Start free

Security

How Lineage protects your data — encryption, access controls, logging, incident response, and commitments to CERT-In (India's national cyber-security agency).

Family wealth data is among the most sensitive personal information a person holds. We design the Platform around the assumption that any single layer of defence will eventually fail, so each layer is hardened and tested independently.

Encryption — two-tier key hierarchy

All sensitive personal data is encrypted at rest using AES-256-GCM under a two-tier key hierarchy:

  • Family Data Encryption Keys (DEKs) — one per family. Used to encrypt the actual records (assets, holdings, will drafts, AIS imports, etc.).
  • Platform Key Encryption Key (KEK) — wraps every DEK. The KEK lives only in Cloudflare's secret store; it is never written to a database.

A compromise of the database alone does not expose plaintext — DEKs in the database are wrapped, and the KEK is not in the database. A compromise of the KEK alone does not expose any single family's data either, because the wrapped DEK is needed too.

Transport security

  • TLS 1.3 from your device to our edge — enforced; older versions rejected.
  • HSTS preload, plus a strict Content-Security-Policy on the app surface.
  • Same-site, HTTP-only, secure cookies for session tokens. CSRF tokens on every state-changing request.

What we never store in plaintext

  • Full PAN — only the last 4 digits are kept in plaintext for display; the full PAN is encrypted with the family DEK.
  • The full 12-digit Aadhaar — never. We store a derived reference only when strictly needed for KYC matching.
  • Full bank account number — last 4 digits visible; the rest is encrypted.
  • Card numbers — we don't take card payments directly; payment is via a PCI-DSS-compliant provider.
  • Passwords — only Argon2id hashes, never the password itself.

Data residency

Personal data is processed and stored in India. Cloudflare's Asia-Pacific edge may serve cached static assets globally, but our Workers KV, D1 databases, Durable Objects, and R2 storage are pinned to APAC India regions.

Logging and monitoring

Per CERT-In Cyber Security Directions, 2022, we maintain structured logs of all requests to the Platform — timestamp, request id, hashed user id, route, status, latency, and client metadata — for at least 180 days, in India. Logs are write-only from the application, and access is restricted to incident response.

Time synchronisation

Server clocks are synchronised via Cloudflare's NTP infrastructure, which is aligned to authoritative time sources. CERT-In Directions, 2022, require time sync to NIC / NPL clocks; if a regulated partner asks for direct NPL alignment, we add a sidecar.

Incident response

  • If an incident affecting personal data occurs, we report it to CERT-In within 6 hours per the 2022 Directions.
  • We notify affected users without delay in plain language — what happened, the likely impact, what we did, and how to contact us — per the DPDP Act (Digital Personal Data Protection Act, 2023) Rules, 2025.
  • We notify the Data Protection Board of India per the timelines and form prescribed under the DPDP Act once the Board is operational.

Responsible disclosure

If you find a vulnerability, please report it to [email protected] with subject line starting [Security]. Please do not publicly disclose until we have had reasonable time to fix it. We acknowledge within 48 hours and aim to resolve within 30 days. We do not currently run a paid bug-bounty programme but will credit researchers in our security hall of fame.

Sub-processors

We use a small set of sub-processors. Each is bound by data-protection terms. The current list:

  • Cloudflare Inc. — hosting, edge compute (Workers), KV, D1, R2 storage, durable objects, secret store.
  • Resend — transactional email (OTP, account notifications).
  • Partner Account-Aggregator infrastructure — only when you are a B2B2C user of a partner who has supplied FIU credentials, and only for the AA flow you initiate.

Sub-processor changes are notified via email and the in-app feed at least 30 days before they take effect.

Audits and certifications

Formal ISO 27001 and SOC 2 certification is on our roadmap. We will publish certificates on this page when issued. In the interim, we run internal quarterly reviews against the ISO 27001 control set and welcome partner-led audits under NDA.

Contact

Security questions: [email protected]. Grievances: Grievance Redressal.

If anything on this page conflicts with the current law of India, the law applies. We update this page when the law or our practices change. The version + effective date above tell you which iteration you are reading.

For questions about this page, write to [email protected] .