Data Security (PII & PCI)
Vruksha ERP holds sensitive personal and financial information — PAN, Aadhaar, GSTIN, bank account numbers, contact details, addresses, and uploaded legal/financial documents. To protect this data and support compliance (PII protection and PCI-DSS-style handling of cardholder/financial data), the system masks sensitive information by default and only reveals the full value to people who hold the right permission — recording every reveal in the audit trail.
This page explains what you will see, how to reveal a value when you are authorised, which roles can reveal what, and how files of different sensitivity levels are protected.
Masking by default
Whenever sensitive data appears in a list or on a detail page, it is shown masked by default. The full (plaintext) value is never sent to your screen until you explicitly request a reveal and you have permission for it.
Masking does not change how the app works otherwise. Lists, detail pages, filters, and sorting behave exactly as before, and searching by name, status, type, or date is unchanged. The only difference is that protected fields display in a masked form unless you reveal them.
Masking formats
The masking style depends on the field:
| Field(s) | Masked format | Example |
|---|---|---|
| Most fields — PAN, Aadhaar, email, mobile, alternate mobile, IFSC | **** followed by the last 4 characters. If the value is 4 characters or shorter, it shows just ****. | PAN ****234F, Aadhaar ****9012 |
| GSTIN | **** followed by the last 6 characters | ****34Z5W1 |
| Bank account number | •••• (bullets) followed by the last 4 digits | ••••6789 |
| Address line 1, address line 2, and locality | Fully masked as **** | **** |
Which fields are masked
Masking applies to the following sensitive fields on each entity:
| Entity | Masked fields |
|---|---|
| Party | PAN, Aadhaar, GSTIN, email, mobile, alternate mobile, address line 1, address line 2, locality |
| Partner | PAN, GSTIN, email, mobile, alternate mobile, business address (lines/locality), personal address (lines/locality) |
| Bank Account | Account number, IFSC |
| User | Email, phone, address |
| Lead | Phone, email, address |
| Sensitive custom fields | Any custom-field value whose definition is marked "sensitive" (see Sensitive custom fields) |
Revealing a value
Next to a masked value you will see an eye / reveal control. Clicking it asks the system to return the full value for that one field.
A reveal succeeds only if you hold the matching permission for that entity. If you do, the plaintext is shown and the action is recorded in the audit trail. If you do not, the value stays masked and you receive a "you do not have permission to perform this action" message.
Reveal is available for: Party, Partner, Bank Account, User, Lead, and sensitive custom-field values. Each is gated by its own permission (see Sensitive-data permissions).
Sensitive-data permissions
Nine permissions govern who can reveal PII and download sensitive files. They are granted through organization roles.
| Permission | What it unlocks |
|---|---|
| Parties — view sensitive | Reveal masked PII on parties (PAN, Aadhaar, GSTIN, email, mobile, address) |
| Partners — view sensitive | Reveal masked PII on partners |
| Bank accounts — view sensitive | Reveal masked account number and IFSC |
| Users — view sensitive | Reveal masked email, phone, and address on users |
| Leads — view sensitive | Reveal masked phone, email, and address on leads |
| Custom fields — view sensitive | Reveal values of custom fields marked "sensitive" |
| Documents — download sensitive | Download/preview files at SENSITIVE level and above |
| Files — view PCI | Required (in addition) to access PCI-DSS files |
| Files — view confidential | Required (in addition) to access CONFIDENTIAL files |
Who holds them by default
| Role | Sensitive-data permissions granted |
|---|---|
| Admin | All nine |
| Finance Manager | Four: Bank accounts — view sensitive, Documents — download sensitive, Files — view PCI, Custom fields — view sensitive |
| Partner, Self-Managed Partner, Sales Head, Sales Staff, Project Manager, People Manager (HR) | None — masked values only |
Finance Manager deliberately does not receive party, partner, user, or lead reveal, nor the confidential-files permission. Everyone other than Admin and Finance Manager sees masked values everywhere and cannot reveal them. See the RBAC Matrix for how these fit alongside all other permissions.
File sensitivity tiers
Every stored file — whether a document or a custom-field upload — carries one of five sensitivity levels. The permissions required to download or preview a file are cumulative: to open a file you need all the permissions listed for its level.
| Level | Permissions needed (cumulative) | Direct download link | Step-up re-authentication |
|---|---|---|---|
| PUBLIC | Documents — view | Yes (link valid ≤ 15 min) | No |
| INTERNAL | Documents — view | Yes (link valid ≤ 15 min) | No |
| SENSITIVE | Documents — view + Documents — download sensitive | No — streamed through the app only | No |
| PCI_DSS | Documents — view + Documents — download sensitive + Files — view PCI | No — streamed only | No |
| CONFIDENTIAL | Documents — view + Documents — download sensitive + Files — view confidential | No — streamed only | Yes (recommended) |
How a file's level is decided:
- A file inherits its level from its document type's default sensitivity. A custom-field upload inherits the level from the field definition's sensitivity.
- If the level cannot be determined, the system treats the file as the strictest level — CONFIDENTIAL.
For SENSITIVE and above, the system never issues a shareable direct link. The file is streamed through the authenticated app after the permission check passes, so access cannot be forwarded to someone without the right permissions.
Sensitive custom fields
A custom field definition can be marked "sensitive". When it is:
- Its values are encrypted at rest and masked in responses.
- Only users with the Custom fields — view sensitive permission can reveal the plaintext (an audited reveal, like any other).
Sensitive custom fields are supported on Stocks, Subprojects, Units, and Documents.
Audit guarantees
Every reveal of PII and every download of a SENSITIVE-or-above file is recorded in the Audit & Logs trail, capturing who performed the action, when, and which entity/field was involved.
Crucially, the audit records store only the masked value — plaintext PII is never written to the audit log. This means the trail proves that an authorised reveal happened without itself becoming a place where sensitive data is exposed.
What this means for you
- Most users see masked values everywhere and work exactly as before — nothing changes for browsing, filtering, sorting, or searching by name/status/type/date.
- Admins can reveal any masked value and open files at every level.
- Finance Managers can reveal bank details and sensitive custom fields, and download sensitive/PCI files, but cannot reveal party, partner, user, or lead PII.
- Every reveal and sensitive-file download leaves an audit record, so access is accountable.
Related: RBAC Matrix for the full permission model, Audit & Logs for the trail itself, Manage Parties and Bank Accounts for where masked fields appear, and Documents for uploaded-file handling.