Cyber Security
Practices at Upstox
At Upstox, safeguarding your data is our top priority. We are dedicated to upholding robust security practices to protect your information and give you complete confidence. Our dedicated cybersecurity team implements advanced controls, actively monitors emerging threats, and ensures compliance with global security standards. Beyond daily protection, the team also drives long-term security strategy, regulatory alignment, and continuous improvement.
Infrastructure Controls and Operational Safeguards
Cloud & on-premises infrastructure
- Hybrid model: Our infrastructure operates in a hybrid environment, combining on-premises and cloud-based services. We leverage data center facilities that adhere to recognised industry standards to support reliability, security, and resilience.
- Identity & access management: The principle of least privilege is enforced across systems to ensure access is limited to what is necessary for approved roles and functions
- Perimeter security: Network segmentation, DDoS protection, and an advanced WAF with bot control, enforcing OWASP Top 10 protections against XSS, SQLi, automated abuse, and application-layer attacks.
- Business continuity & disaster recovery: Robust DR plans, technical systems, and regular testing ensure uninterrupted service during emergencies.
Endpoint security
- We follow industry best practices to secure all endpoints, including continuous monitoring, advanced threat detection, and proactive protection against malware and viruses.
- These controls help ensure a secure and resilient environment for our customers.
Secure remote access
- Secure access for our hybrid workforce is governed by a Zero Trust Network Access (ZTNA) model, where access is continuously validated and tightly controlled across remote and on-premises systems.
- We apply layered network security controls to inspect traffic, enforce access policies, and maintain secure, trusted connections across internal and external environments.
24/7 security operations centre (SOC)
- Our security operations provide 24/7 monitoring to help detect, analyze, and respond to potential security events.
- Centralised security monitoring is enhanced with threat intelligence and automated alerting to enable timely detection and response to security events.
Awareness & training
- We believe security starts with people. Upstox runs regular cybersecurity awareness programs for all employees, covering topics such as phishing, social engineering, password hygiene, and safe use of technology.
- Interactive sessions, quizzes, and simulated phishing exercises help employees stay vigilant and informed.
- We run quarterly campaigns for customers on how to stay safe from cyber fraud, phishing, and identity theft.
Internal and external testing
Audit & compliance
- We ensure robust security governance by engaging CERT-In approved partners for all cybersecurity audits, including Vulnerability Assessment and Penetration Testing (VAPT).
- Every third-party service provider is subjected to a comprehensive security review before onboarding, ensuring that risks are identified and mitigated before integration.
Secure Design & Threat Modelling
- By embedding secure design reviews and threat modelling into our development lifecycle, we identify and address architectural and abuse risks early, reducing security exposure and accelerating safe delivery.
Vulnerability assessment & penetration testing (VAPT)
- Periodic external VAPT by CERT-in empanelled auditors. Manual and automated vulnerability assessments using advanced tools and technologies are performed.
- Our secure development lifecycle integrates Static Application Security Testing (SAST) to identify vulnerabilities in source code early, and Dynamic Application Security Testing (DAST) to detect runtime issues in deployed applications. These practices, combined with API security checks and CI/CD pipeline security scans, ensure that vulnerabilities are addressed proactively before they can impact production systems.
Cyber Drills & Red Teaming
- We conduct periodic Red Team exercises that simulate real‑world attacker behaviour, including stealthy in‑memory execution, lateral movement, and privilege escalation, to validate the effectiveness of our detection and response controls.
- Regular cyber crisis drills and tabletop exercises are performed to test incident response readiness, escalation flow, and decision‑making during security events. Insights from these drills directly feed into strengthening monitoring rules, response playbooks, and overall security posture.
Customer side security
Multi-factor authentication (MFA)
PIN verification
OTP verification
Industry certification and attestations
ISO/IEC 27001:2022 (ISMS)
Information Security Management. This certification ensures that Upstox has a robust Information Security Management System in place. It covers risk assessment, security controls, and continuous monitoring to protect the confidentiality, integrity, and availability of information assets. It demonstrates that security is embedded into every process, reducing risks of breaches and ensuring resilience.
ISO/IEC 27701:2019 (PIMS)
Privacy Information Management. This extends ISO 27001 to include Privacy Information Management, ensuring that personal data is handled responsibly and in line with global privacy principles. It helps Upstox implement Privacy by Design, manage consent, and uphold data subject rights—critical for trust in financial services.
ISO 22301:2019 (BCMS)
Business Continuity Management. This certification focuses on Business Continuity Management, ensuring that Upstox can maintain operations during disruptions such as cyber incidents or natural disasters. It includes disaster recovery planning, redundancy, and resilience measures—essential for uninterrupted trading and customer confidence.
COMPLIANCE
Compliance with SEBI, BSE, NSE, MCX, CDSL, IRDAI, and PFRDA cybersecurity regulatory frameworks ensures transparency and trust.
Privacy and Data Protection
Privacy & data protection
- Our privacy program is structured around the Digital Personal Data Protection Act and global best practices.
- Privacy by design: Integrated into all products and processes.
- Consent management: Consent for data collection and usage.
- Data subject rights: Mechanisms for access, correction, and deletion of personal data.
- Breach notification: Formal process for notifying authorities and affected individuals within mandated timelines.
- Upstox Privacy Policy- https://upstox.com/terms-of-use-and-privacy-policy/
Data security
- Encryption at rest & in transit: All sensitive customer data is protected by strong encryption mechanisms.
- Authentication & authorisation: Authentication and authorisation controls are designed to verify identity and limit access based on role and necessity, reducing the risk of unauthorised access.
- Data loss prevention (DLP): Controls are in place to prevent data leakage and ensure sensitive data is handled and transferred securely.
Bug Bounty
Responsible disclosure
Found a potential vulnerability?
Report it responsibly via our Bug Bounty Program.
Transparency
We take your safety and privacy very seriously. Upstox will not release customer information to any third-party marketing services. Your trust and personal information is important to us and we do not distribute any unsolicited mail to your email or home addresses.
Account Protection
As a SEBI regulated entity, your funds are always kept in a fully segregated account as per SEBI rules. We partner with IL&FS (the largest depository agent in India) and work closely with the exchanges and audit agencies to ensure that your accounts are safe-guarded with the highest level of protection possible.
Advertising and Third Party Usage
As part of our marketing efforts, we utilize Display Advertising and some Google Analytics features based on Display Advertising. Third party vendors may use cookies to optimize and serve ads based on your past visits to our website. Should you wish to opt-out of this or customize Google Display Ads, you may do so here. You may learn more about our privacy policy here.