Audex

Security at Audex

Last updated: June 14, 2026

You hold your clients’ PAN, GSTIN, bank statements and financial records - and under the DPDP Act, 2023 your firm is accountable for them. This page is a plain account of how Audex protects that data. We’d rather under-claim and be exact than market security we don’t have.

1. Tenant isolation

Audex is multi-tenant: every firm gets a logically isolated workspace. Each record - clients, documents, tasks, invoices - is scoped to your firm, and every database query is filtered by your firm identifier so one firm can never read another firm’s data. Within a firm, client data is further scoped by role and assignment.

2. Encryption

All traffic between your browser and Audex is encrypted in transit with TLS (256-bit AES). Passwords are never stored in plain text - only as salted bcrypt hashes. Payment credentials never touch our servers (see §6).

3. Access control & roles

  • Role-based access with least privilege - Admin, CA, Employee and Client roles each see only what they need.
  • Staff see only the clients assigned to them; client-portal users see only their own documents, requests and invoices.
  • Document collection links are tokenised, rate-limited and expiring - a client can upload without an account, but the link grants nothing beyond that one request.

4. Session security

Access tokens are short-lived; refresh tokens are single-use and rotate on every use. Admins can reset a team member’s password or force-logout all of their sessions instantly, and changing a role or deactivating a user immediately revokes their existing sessions.

5. Audit trail

Sensitive actions - logins, record changes, assignments, document uploads, plan changes - are written to an append-only activity log capturing who did what, when, and from which IP address. The log is visible to firm admins and supports your own compliance and review obligations.

6. Payments

Subscription payments are processed by Razorpay, a PCI-DSS compliant payment gateway. Audex never sees or stores your card, UPI or netbanking credentials.

7. Data residency & retention

Data is hosted on infrastructure located in India where feasible. We retain records while your account is active and for up to 7 years thereafter, in line with ICAI guidance and tax-law limitation periods. You can export clients, tasks, transactions and invoices to CSV from inside the product at any time - there is no lock-in.

8. Privacy

We do not sell personal data and never use your clients’ financial data for advertising. For the full detail of what we collect and your rights, see our Privacy Policy.

9. Responsible disclosure

If you believe you’ve found a security issue, please email grievance@audex.in with the details. We appreciate disclosures made in good faith and will work with you to resolve them quickly.