Navigate
₹600Cr+
GST recovered · 120+ enterprises
Built For
Your Sector.

SkySuite is configured for the specific travel tax challenges of each industry — different scales, different entity structures, different reporting needs.

Enterprises
Large corporates & conglomerates
Travel Mgmt Cos.
TMCs & travel agencies
Consulting Firms
Big 4, strategy & boutique
GCCs
Global capability centres
Airlines
Carrier-side GST reporting
Explore all industries →
The People
Behind the Platform.

Founded in Mumbai in 2022. Built by finance and technology people who had seen this problem too many times.

About TraCarta
The ₹600 Crore problem. Why we built SkySuite. Our story.
Careers
Work on something that genuinely matters. We're always looking for exceptional.
Leadership
The people who built TraCarta.
Meet the team →
2022
Founded · Mumbai
₹600Cr+
GST Recovered
120+
Enterprise Clients
0
Audit Penalties
Get in touch with our team →
SkyBoard demo is live — explore the actual product, no account required. Enter demo →
Request Demo
SkySuite Overview SkyDoc SkyLedger SkyBoard AlignIQ SkyConnect Security & Compliance
Airline GST Reconciliation ITC Recovery Travel Expense Governance Reseller Compliance Audit Intelligence
Enterprises Travel Management Cos. Consulting Firms Global Capability Centres Airlines
Insights Hub Playbooks Case Studies
About TraCarta Leadership Careers Contact
Request a Demo Explore Live Demo
₹600Cr+
GST recovered for 120+ enterprises
Security & Compliance

Five Layers.
Every Control.
No Exceptions.

SkySuite handles invoice data, GST records, ERP credentials and financial transactions for India's largest enterprises. Here is exactly how every layer of that data is protected — specific, verifiable and permanent.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
99.9%
Platform uptime SLA
7yr
Immutable log retention
India
Data residency — always
0
Security incidents since founding
Security Architecture

The Five
Security Layers.

Each layer operates independently. A failure or breach at any outer layer cannot propagate inward. Your data is protected by defence in depth — not a single perimeter.

01
Network Security
Perimeter Defense
Web Application Firewall, DDoS protection and intrusion detection. All external traffic inspected before it reaches the application layer.
Details
Technical Controls
Web Application Firewall — inspects all HTTP/S traffic, blocks OWASP Top 10 attack vectors before they reach the application
DDoS Protection — automatic detection and mitigation of volumetric and protocol attacks, absorbing up to 1Tbps of attack traffic
Intrusion Detection — real-time analysis of network traffic patterns, automatic alerting and blocking on anomalous behaviour
TLS 1.3 enforced — all external connections require TLS 1.3 minimum, older protocols disabled at the network edge
Live Status
WAF
Active
DDoS Protection
Active
IDS/IPS
Active
TLS Enforcement
TLS 1.3
02
Access Control
Identity & Permissions
Role-based access control with least-privilege enforcement. MFA required for all users. SSO integration via SAML 2.0 and OIDC.
Details
Technical Controls
Role-Based Access Control — granular permissions enforced at the API layer. CFO, Tax Head, Finance team and Audit roles each have distinct, non-overlapping access scopes
Multi-Factor Authentication — enforced for all user accounts. TOTP and hardware security key supported. No MFA bypass permitted for any role
SSO Integration — SAML 2.0 and OIDC support for enterprise identity providers including Okta, Azure AD and Google Workspace
Session Management — automatic session expiry, concurrent session limits and anomalous login detection with automatic account lock
Live Status
RBAC Engine
Active
MFA Enforcement
100%
SSO
SAML 2.0
Session Timeout
8hr max
03
Data Encryption
At Rest & In Transit
AES-256 encryption for all data at rest. TLS 1.3 in transit. Encryption keys managed via dedicated HSM with 90-day automatic rotation.
Details
Technical Controls
AES-256 at Rest — all stored data encrypted using AES-256-GCM. Applies to primary databases, backups, logs and all file storage. No plaintext data at rest anywhere in the system
TLS 1.3 in Transit — all data in transit encrypted using TLS 1.3. Perfect forward secrecy enforced. Certificate pinning on all mobile and desktop clients
Hardware Security Module — encryption keys managed in dedicated HSM. Keys never exposed in software. Automatic 90-day key rotation with zero-downtime re-encryption
Database Field-Level Encryption — sensitive financial fields (GSTIN, bank details, invoice amounts) encrypted at field level in addition to full-database encryption
Live Status
At-Rest Encryption
AES-256
In-Transit Encryption
TLS 1.3
HSM Status
Active
Key Rotation
90 days
04
Audit Logging
Immutable Record
Every user action, API call and data access logged immutably with timestamp and context. Retained for 7 years. Cryptographically signed to prevent tampering.
Details
Technical Controls
100% Action Coverage — every user action, automated system action, API call and data read/write logged. No gaps. No sampling. Complete record
Cryptographic Signing — each log entry signed with HMAC-SHA256. Tampering with any entry invalidates the chain. Immutable by design, not just by policy
7-Year Retention — all audit logs retained for 7 years, satisfying GST audit requirements. Logs stored in write-once storage with geographic redundancy
Real-Time Alerting — anomalous access patterns trigger instant alerts to our security team. Automated response blocks suspicious sessions within seconds
Live Status
Log Coverage
100%
HMAC Signing
Active
Retention
7 years
Anomaly Alerts
Real-time
05
Infrastructure
Availability & Recovery
Multi-zone redundant deployment in Indian data centres. Automated failover with RTO under 15 minutes. Daily encrypted backups tested monthly.
Details
Technical Controls
Multi-Zone Redundancy — all services deployed across three independent availability zones within India. Any single zone failure triggers automatic failover with no data loss
India Data Residency — all data stored and processed exclusively in Indian data centres. No cross-border data transfer. No international cloud routing under any circumstances
RTO < 15 Minutes — recovery time objective of under 15 minutes for any failure scenario. RPO of zero — no data loss on failover due to synchronous replication
Daily Backup + Monthly Restore Test — encrypted backups taken daily. Restoration procedures tested every month with documented results. Backups retained for 90 days
Live Status
Multi-Zone
3 zones
Data Residency
India only
RTO
< 15 min
Uptime (90d)
99.97%
Defence in Depth

Five Independent
Security Boundaries.

Each layer operates independently. A compromise at any outer layer cannot automatically access the next. Your data sits at the centre of five separate, non-overlapping security boundaries — each requiring its own credentials, each logged independently, each monitored in real time.

Network Security
Access Control
Encryption
Audit Logging
Your Data — Protected
YOUR
DATA
Audit Logging
Encryption
Access Control
Network Security
Infrastructure
Data Practices

Your Data.
Your Rules.

Five clear commitments about how we handle your data. No hedging. No "we may share with trusted partners." These are the actual rules we operate by.

Your data never leaves India.

All data stored and processed exclusively in Indian data centres. No cross-border transfer under any circumstances — not for backups, not for analytics, not for support access.

Your data is never shared.

We do not sell, share or make available your data to any third party — not to advertisers, not to analytics platforms, not to other customers. Your financial data is yours alone.

Your data is isolated from other customers.

Each customer's data is logically and cryptographically isolated at the database, application and network layers. No multi-tenant data leakage is architecturally possible.

You can export or delete at any time.

Request a complete data export at any time — delivered within 5 business days. Request deletion and all your data is permanently removed within 30 days, including from backups and logs.

If something goes wrong, you hear first.

In the event of any security incident affecting your data, you will be notified within 24 hours — with full disclosure of scope, impact and every remediation step taken.

Security Incidents Since Founding
0
Zero.

No data breaches. No unauthorised access. No customer data exposed. Since TraCarta's founding in 2022, the security record is clean — and we intend to keep it that way.

Request Our
Security
Documentation.

Our full security documentation — architecture diagrams, penetration test reports, data processing agreements and security questionnaire responses — available on request for enterprise procurement and IT security teams.

Request Documentation Speak to Our Team
Security Architecture Document

Full technical specification of all five security layers, controls, encryption standards and monitoring procedures.

Penetration Test Report

Independent third-party penetration test results, findings and remediation confirmation. Updated annually.

Data Processing Agreement

Our standard DPA, including data handling commitments, sub-processor list and breach notification procedures.

Security Questionnaire

Pre-completed responses to standard enterprise security questionnaires — CAIQ, VSAQ and custom vendor assessment forms.