Reach Company Trust Center

We operate with
nothing to hide.

Reach Financials is built on a foundation of regulatory compliance, data integrity, and operational transparency. This page is our public commitment — updated in real time — to the standards we hold ourselves to.

All systems compliant
Last audited: January 2026
DPDP readiness: Certified
ISO 27001: Active

Regulatory Licenses

Licensed across every domain we operate in

We don't operate on exemptions or grey areas. Every product Reach offers is backed by the appropriate regulatory license, renewed annually and subject to ongoing supervisory oversight from India's top financial regulators.

SEBI
Investment Adviser
Securities and Exchange Board of India
INH000XXXXXX
Licensed to provide fee-based investment advice covering mutual funds, equities, and portfolio management across all investor categories.
IRDAI
Insurance Broker (Composite)
Insurance Regulatory and Development Authority of India
IB-XXXXX/XX
Composite broker license enabling us to distribute both life and general insurance products from IRDAI-approved insurers across India.
RBI
NBFC — Account Aggregator
Reserve Bank of India
N-14.03627
RBI-authorised Account Aggregator enabling secure, consent-based financial data sharing between users and financial information users.
AMFI
Mutual Fund Distributor
Association of Mutual Funds in India
ARN-XXXXXX
AMFI-registered distributor authorised to sell and distribute mutual fund schemes from all SEBI-registered AMCs in India.
PFRDA
Point of Presence (PoP)
Pension Fund Regulatory and Development Authority
POP-XXXXXXXXX
Authorised PoP for National Pension System (NPS), enabling opening and servicing of NPS accounts for Tier I and Tier II subscribers.
NSDL
Depository Participant
National Securities Depository Limited
IN-DP-XXXXX-20XX
NSDL-registered Depository Participant for opening and maintaining demat accounts and enabling electronic holding of securities.
Regulator License Type Registration No. Valid Until Status
SEBI Investment Adviser INH000XXXXXX March 2026 ● Active
IRDAI Composite Insurance Broker IB-XXXXX/XX September 2026 ● Active
RBI Account Aggregator NBFC N-14.03627 Perpetual ● Active
AMFI Mutual Fund Distributor ARN-XXXXXX December 2025 (renewal filed) ● Renewal Pending
PFRDA Point of Presence — NPS POP-XXXXXXXXX June 2026 ● Active
NSDL Depository Participant IN-DP-XXXXX-20XX Perpetual ● Active

Data Protection

Digital Personal Data Protection Act, 2023

India's DPDP Act represents the most significant shift in data rights for Indian citizens. Reach has been DPDP-ready since Day 1 of enforcement — not because the law requires it, but because our customers deserve it.

Data rights aren't a
compliance checkbox.

The DPDP Act gives every Indian the right to know, correct, and erase their personal data. Reach has embedded these rights into the product itself — not as a settings page buried three menus deep, but as first-class features accessible in one tap.

72h
Max breach notification SLA
100%
Consent before data collection
30d
Data erasure SLA on request
0
Third-party data sales

Your Rights as a Data Principal

  • Right to access a summary of personal data we hold about you
  • Right to correct or update inaccurate personal data
  • Right to erasure of data no longer required for lawful purposes
  • Right to grievance redressal within 30 working days
  • Right to nominate a representative for data rights
  • Right to withdraw consent at any time, with no penalty
  • Right to know the identity of all Data Fiduciaries processing your data

Our Obligations as a Data Fiduciary

  • Collect only data necessary for the stated purpose — no dark patterns
  • Obtain free, specific, informed, and unambiguous consent in plain language
  • Notify you within 72 hours of any personal data breach
  • Appoint a Data Protection Officer (DPO) accessible to every user
  • Conduct Data Protection Impact Assessments for new products
  • Erase data within 30 days upon request or end of retention period
  • Maintain processing records available to DPDPB on demand

Consent Framework

Reach's consent mechanism is purpose-specific. Every consent request tells you exactly:

  • What data is being collected
  • Why it is needed
  • How long it will be retained
  • Whether it will be shared with third parties

Data Localisation

All personal data of Indian residents is stored exclusively on servers located within India, hosted on AWS Mumbai (ap-south-1) and Azure Central India. No personal data is transferred to or processed in servers outside India without explicit regulatory approval and user consent.

Data Practices

What we collect, why, and for how long

No ambiguity. Every category of data we hold, the lawful basis, and the retention period — presented plainly.

Data Category Purpose Lawful Basis Retention Shared With
Identity (PAN, Aadhaar) KYC/AML, regulatory compliance Legal obligation (PMLA, SEBI) 10 years post account closure RBI, SEBI, FIU-IND (on demand)
Bank Account Details Payments, mandate registration Contractual necessity 7 years post last transaction Payment banks, NPCI
Investment Portfolio Advice, reporting, rebalancing Explicit consent Duration of relationship + 5 years AMCs, depositories (on instruction)
Insurance Details Policy management, claims support Explicit consent Policy term + 5 years Insurers (on instruction only)
Device & Usage Data Fraud prevention, product improvement Legitimate interest 13 months rolling Not shared
Communication Data Support, audit trail Legitimate interest 3 years Not shared
01

Data Minimisation

We collect only what is strictly necessary for the stated purpose. If a field is optional, we never make it mandatory through design.

02

Purpose Limitation

Data collected for KYC is never repurposed for marketing. Each dataset is siloed to its stated function and cannot be cross-used without fresh consent.

03

Storage Security

All data at rest is encrypted with AES-256. All data in transit uses TLS 1.3. Encryption keys rotate automatically every 90 days.

04

No Data Sales

Reach has never sold, rented, or brokered customer personal data to any third party. We earn revenue from products, not from your data.

05

Anonymisation

All analytics and internal research use anonymised or pseudonymised datasets. Re-identification is technically prevented at the infrastructure layer.

06

Vendor Due Diligence

Every third-party processor undergoes annual security audit. Data processing agreements (DPAs) are in place with all sub-processors before any data is shared.

Certifications & Standards

Third-party validated, annually renewed

Compliance claims without third-party verification are just words. Every certification below has been independently audited and is publicly verifiable.

ISO/IEC 27001:2022
Active
Information Security Management System. Covers the full scope of our technology infrastructure, data handling, access controls, and incident response processes.
Issued: Feb 2024 · Expires: Feb 2027 · Auditor: BSI Group India
SOC 2 Type II
Active
Security, Availability, and Confidentiality trust service criteria. Covers a 12-month observation period, ensuring controls are not just designed but consistently operating.
Period: Apr 2024–Mar 2025 · Auditor: Deloitte India · Report available on request
PCI DSS v4.0
Active
Payment Card Industry Data Security Standard for handling card-present and card-not-present transactions. We are classified as a Level 1 Merchant and Service Provider.
Annual QSA assessment · Quarterly network scans · Report on Compliance available to partners
CERT-In Empanelled Auditor
Active
Annual vulnerability assessments and penetration tests conducted by CERT-In empanelled auditors, as mandated for RBI-regulated and SEBI-registered entities.
Semi-annual VAPT · Last conducted: Oct 2025 · Next: Apr 2026
DPDP Act 2023 — Readiness Certified
Active
Independent readiness assessment against all 40+ requirements of the Digital Personal Data Protection Act 2023, including consent management, data principal rights, and breach notification frameworks.
Assessed: December 2024 · Assessor: EY India · Full report on file with DPO
RBI Master Direction on IT (2023)
Compliant
Full compliance with the RBI Master Direction on Information Technology Governance, Risk, Controls, and Assurance Practices for NBFCs, reviewed and attested by our statutory auditors.
Attestation: March 2025 · Statutory Auditor: S.R. Batliboi & Associates LLP

Security Architecture

Defence-in-depth, at every layer

Security at Reach is not a product feature or a marketing claim. It is an engineering principle applied at every layer of the stack — from the customer's device to our data centre.

Encryption

AES-256 at rest. TLS 1.3 in transit. Database-level field encryption for PII. HSM-backed key management with 90-day rotation.

Identity & Access

Zero-trust access model. RBAC with least-privilege enforcement. MFA mandatory for all internal systems. PAM for privileged accounts.

Monitoring

24×7 SOC with SIEM integration. Anomaly detection on all transaction streams. Dark-web monitoring for credential exposure.

Resilience

Active-active multi-AZ deployment. RTO: 4 hours. RPO: 15 minutes. Annual DR drills with board-level sign-off.

Vulnerability Management

Continuous automated scanning. Responsible disclosure programme. Critical patches deployed within 24 hours of disclosure. No known critical vulnerabilities unpatched beyond SLA.

Bug Bounty

Public bug bounty programme on HackerOne. Scope covers all customer-facing products and APIs. Rewards up to ₹5,00,000 for critical findings.

Grievance Redressal

A complaint is a gift. We treat it that way.

Every grievance at Reach is assigned a unique ticket number, logged immutably, and escalated through a structured four-tier process. You are never left without a path forward.

01

In-App Support

Raise a ticket directly from the app or website. Acknowledgement within 2 business hours with a unique complaint reference number.

Resolution: 5 business days
02

Nodal Officer

If unresolved at Level 1, escalate to our Nodal Officer by email or registered post. Every escalation is reviewed by a senior compliance officer.

Resolution: 10 business days
03

Principal Nodal Officer

Unresolved complaints escalate automatically to the Principal Nodal Officer (PNO), who reports directly to the Board's Audit Committee.

Resolution: 15 business days
04

Regulatory Redressal

Customers may approach SEBI SCORES, IRDAI IGMS, RBI Ombudsman, or the Data Protection Board depending on the nature of the complaint.

As per regulator SLA
Role Name Email Address
Data Protection Officer Available on request dpo@reachfinancials.in DPDP compliance queries only
Nodal Officer Available on request nodal@reachfinancials.in Reach Financials Pvt. Ltd., Mumbai
Principal Nodal Officer Available on request pno@reachfinancials.in Reports to Board Audit Committee
Compliance Officer Available on request compliance@reachfinancials.in Regulatory filings and SEBI/IRDAI matters

Compliance Audit Log

Our compliance history, made public

A record of significant compliance milestones, regulatory interactions, and self-disclosed incidents. We believe transparency after the fact is as important as prevention before it.

February 2026
SOC 2 Type II — Observation Period Begins (FY2025–26)
Annual 12-month observation period commenced for renewal of SOC 2 Type II certification. No control deficiencies identified in prior period.
December 2025
DPDP Act 2023 — Independent Readiness Assessment Completed
EY India completed a gap assessment against all requirements of the Digital Personal Data Protection Act 2023. Zero high-risk gaps identified. Medium-risk items remediated within 30 days.
October 2025
Semi-Annual VAPT Completed — Zero Critical Findings
CERT-In empanelled auditor completed vulnerability assessment and penetration testing across all production systems. No critical vulnerabilities identified. Three medium-severity findings remediated within SLA.
August 2025
IRDAI — Composite Broker License Renewed
Composite broker license renewed for a further three-year term following successful inspection by IRDAI. Inspection covered solvency margin, complaint ratios, and sales practices.
March 2025
RBI Master Direction on IT — Statutory Attestation Filed
Annual compliance attestation under the RBI Master Direction on IT Governance, Risk and Controls filed with the RBI. Attested by S.R. Batliboi & Associates LLP.
February 2024
ISO 27001:2022 — Certified (First Cycle)
Reach achieved ISO 27001:2022 certification following a two-stage audit by BSI Group India. Scope covers the full technology and operations function.
September 2023
Self-Disclosure: Low-Severity Data Anomaly
A misconfigured API endpoint exposed non-sensitive metadata (account creation timestamps, product categories — no PII, no financial data) for approximately 1,200 accounts for a period of 6 hours. Discovered via internal monitoring. Affected users notified proactively. Root cause patched within 4 hours. Reported to CERT-In within 6 hours per mandate.

Contact & Disclosures

Reach the right person, fast

Compliance, data rights, security disclosures — every query has a dedicated point of contact with a committed response time.

🔐

Security Disclosures

Report a vulnerability through our bug bounty programme or directly to our security team.

security@reachfinancials.in
🛡️

Data Protection Officer

Exercise your DPDP data rights, consent withdrawal, or data erasure requests.

dpo@reachfinancials.in
⚖️

Compliance & Legal

Regulatory correspondence, legal notices, law enforcement requests.

compliance@reachfinancials.in

Regulatory Disclosures

Reach Financials Pvt. Ltd. is registered with SEBI as an Investment Adviser (Reg. No. INH000XXXXXX), IRDAI as a Composite Insurance Broker, AMFI as a Mutual Fund Distributor (ARN-XXXXXX), and is an RBI-regulated NBFC Account Aggregator. Investments in securities are subject to market risk. Past performance is not indicative of future returns. Insurance is subject to terms, conditions, and exclusions of the policy. Please read all scheme-related documents carefully before investing. Reach Financials is not a bank and does not offer deposit products. NBFC services are not covered by DICGC insurance.

This Trust Center is reviewed quarterly. Last updated: February 2026. For the most current regulatory status of any license, please verify directly with the respective regulatory authority.