GrihaNexus handles some of the most sensitive data a person owns. We treat it that way — consent-first, verified at source, and encrypted end-to-end. Here is exactly how, and where we are on the journey.
The borrower approves exactly what data is shared, for what purpose, and for how long — in plain language, revocable anytime. This is the DPDP Act's core principle and the basis of the Account Aggregator flow.
Instead of trusting uploaded PDFs (which can be forged), GrihaNexus is built to pull bank statements via RBI's Account Aggregator and identity via DigiLocker/CKYC — data signed by the institution that holds it.
We collect only what a file needs, encrypt it in transit and at rest, and follow tiered retention — keeping regulatory records as RBI/PMLA require and erasing non-essential data on consent withdrawal.
We believe in being precise about what is live today versus on the roadmap. No vague claims.
Consent-first data handling, data minimization, purpose limitation, and the right to erasure are built into how GrihaNexus collects and processes borrower data.
Architected to consume bank data through India's RBI-regulated, consent-based Account Aggregator framework (ReBIT APIs, via Sahamati) — verified data straight from the source, not forgeable PDFs.
Designed to verify PAN, Aadhaar, and KYC from government-grade sources rather than relying on uploaded copies alone.
Built to pull consented credit reports so the readiness score reflects a real bureau pull, not a guess.
All borrower data is encrypted end-to-end. Documents are processed over secure channels and never exposed publicly.
We are building toward formal SOC 2 Type II and ISO 27001 certification as we onboard our first lending partners.
References: DPDP Act 2023 & DPDP Rules 2025; RBI Master Direction — NBFC-Account Aggregator; ReBIT API specifications (Sahamati, the RBI-recognised SRO for the AA ecosystem).
We'll walk your compliance and IT teams through our data flows, consent model, and roadmap.