MarginPlant Broker
Security & compliance

Your money is yours.
We just hold the door.

We operate under SEBI's framework for stock brokers and India's DPDP Act for data. The systems below are how we keep both promises — your capital and your information.

Your money

Customer funds in a regulated escrow account, separate from the broker's working capital. Withdrawals only to the bank account that funded the deposit.

Your data

Data residency in AWS Mumbai (ap-south-1). DPDP-compliant data handling. You can export everything and delete your account from the dashboard.

Your access

Refresh-token allowlist in Redis, TOTP-based 2FA, IP-allowlist option for high-value accounts. Lost device — one click revokes everything.

Account controls

Six layers between an attacker and your trades.

Every one is optional except the first two. We strongly recommend all six for any account with more than ₹5 lakh on it.

TOTP-based 2FA

Google Authenticator / Authy / 1Password — your call. Backup recovery codes generated at enrolment.

Biometric mobile login

Face ID / Touch ID / Android biometrics. Token cache wiped on biometric failure threshold.

Per-device sessions

Every login is a separate session you can revoke individually. See location, device and last-seen time.

Login alerts

Email + push on every new-device login. Anomaly heuristics flag unusual hours / unusual IP.

Withdrawal email lock

Every withdrawal triggers an email + push. 1-hour cooling-off window for first-time large amounts.

Hardware-token (opt-in)

Optional FIDO2 / WebAuthn enrolment for users who carry a YubiKey.

Infrastructure

Boring, hardened, audited.

We optimise for "no surprises". Standard AWS primitives, mandatory code review, branch-protection rules on every repo, daily backups with restore drills. The systems list below is exhaustive — not marketing-friendly.

Ask a security question

AWS Mumbai (ap-south-1)

Primary region for all India-resident data. Singapore region kept hot as DR for global-only segments (forex, crypto).

TLS 1.3 + HSTS preload

Modern cipher suites only. HSTS preload across all sub-domains. Cert pinning on the mobile app.

MongoDB + Redis cluster

Replica set with daily snapshots, append-only ledger, hourly reconciliation across replicas.

WAF + rate limiting

CloudFront + AWS WAF in front of every public endpoint. Burst limits per IP, per user, per route.

Cold-wallet crypto

95% of crypto holdings in cold storage. Hot wallet refilled in chunks, multi-sig withdrawal.

ISO 27001 in progress

Audit kick-off Q1 2026. SOC 2 Type I scoping in parallel. Compliance roadmap published quarterly.

Regulatory posture

We're regulated. Here's the actual list.

  • SEBI-aligned operating model · stock-broker membership in progress for NSE / BSE / MCX
  • Funds segregated in a SEBI-recognised settlement bank account
  • Statutory contract notes generated nightly, signed and emailed within T+1
  • Grievance redressal published — escalation path to SEBI SCORES in the footer
  • AML / KYC framework aligned with PMLA + RBI Master Direction on KYC
  • DPDP Act compliance — Indian data principal rights honoured in the dashboard

Responsible disclosure

If you've found something — a way to bypass an auth check, a ledger inconsistency, a CSRF gap — please tell us before you tell anyone else. We pay for it, we credit you, and we never sue researchers acting in good faith.

security@marginplant.com
  1. 1Email security@marginplant.com with a clear write-up and steps to reproduce.
  2. 2Encrypt sensitive details with our PGP key (linked from the email autoresponder).
  3. 3We acknowledge within 48 hours and triage within 7 days.
  4. 4Eligible reports earn a bounty — paid in INR via UPI or NEFT, your choice.
  5. 5Public credit on the security wall of fame after the fix is shipped (if you want it).