rewamp full web application ensure registration and all the other thing works as per the document shared Document 1: Product Requirements Document (PRD) - Kirana.pro Investor Investment Flow 1. Introduction Purpose: This document outlines the requirements for the Kirana.pro Investor Onboarding and Investment Flow. This feature allows potential investors to express interest, register, complete necessary verification (KYC/AML), and digitally invest in Kirana.pro's community investment round via the website. Goals: Enable Kirana.pro to raise funds (Target: ₹8 Cr) through a community investment round. Provide a seamless, transparent, and compliant digital onboarding and investment experience. Engage the Kirana.pro community (users, partners, supporters) as investors. Build a scalable platform for potential future funding rounds. Ensure compliance with relevant Indian regulatory requirements (SEBI guidelines, KYC/AML norms, Companies Act). Target Audience: Potential investors, including: Individuals (Indian Residents, NRIs) Entities (Companies, LLPs, Trusts registered in India) Accredited and Non-Accredited investors (Note: Specific regulations apply based on the offering structure – this needs legal clarification. The PRD assumes the platform must cater to the legally permissible investor types for this specific round). Scope: In Scope: User registration & login, investor type selection, KYC data collection & document upload (Individual & Entity), KYC verification workflow (Admin), investment amount entry, document display & e-signature, payment instruction display, payment confirmation (manual/semi-automated reconciliation), investor dashboard (basic view of investment). Out of Scope (for this version): Fully automated payment integration (direct debit/gateway for large sums), secondary market trading, advanced portfolio analytics, fully automated KYC verification without admin review (initially), international entity investment (beyond NRIs/OCIs subject to FEMA/RBI rules). 2. User Personas (Examples) Anjali (35, Tech Professional, Indian Resident): Uses Kirana.pro app, believes in the mission. Wants to make a small investment (₹2-5 Lakhs). Tech-savvy, expects a smooth digital experience. Needs clear instructions for KYC and payment. Ravi (48, Small Business Owner, Indian Resident): Kirana.pro partner (store owner). Wants to invest ₹10 Lakhs via his Proprietorship/LLP. Less tech-savvy than Anjali. Needs clear guidance on entity KYC requirements and document uploads. Priya (40, NRI based in Singapore): Works in finance, familiar with startup investing. Wants to invest ₹15 Lakhs. Needs clarity on NRI investment process, FEMA compliance, NRO account usage, and specific KYC documentation. 3. Features & Requirements F1: Investor Authentication REQ1.1: Allow users to sign up using Email/Password. REQ1.2: Implement email verification (OTP/link). REQ1.3: Allow users to sign up/log in using Google (OAuth). REQ1.4: Implement secure login with password hashing (bcrypt). REQ1.5: Implement password reset functionality. REQ1.6: Maintain user sessions securely. F2: Investor Onboarding & KYC REQ2.1: Capture investor type (Individual/Entity) upon initiating investment. REQ2.2: Individual KYC: Collect Full Name, DOB, Father's Name, PAN, Address(es), Bank Account Details (Acc No, IFSC, Name, Proof), Identity Proof, Address Proof. Allow document uploads (PAN Card, Address Proof Doc, Cancelled Cheque/Statement). REQ2.3: Entity KYC: Collect Entity Name, Type, Reg No, Address, PAN, Bank Account Details, Incorporation Docs. Collect Authorized Signatory details (Name, PAN, Address Proof, Authorization). Allow relevant document uploads. REQ2.4: NRI KYC: Handle specific requirements (Passport, Visa/OCI card, NRE/NRO bank details, Overseas Address Proof, FATCA/CRS declaration). REQ2.5: Implement multi-step, user-friendly forms for KYC data collection. Provide clear guidance on required documents and formats. REQ2.6: Provide status tracking for KYC (Not Started, Pending, Verified, Rejected). REQ2.7: Admin interface for reviewing KYC submissions, viewing documents, and marking status (Approve/Reject with reason). REQ2.8: Notify users upon KYC status change (Email). REQ2.9: (Compliance Requirement) Capture Investor Accreditation status/details as per legal requirements for the specific round structure. This may involve self-declaration or document upload (CA Cert, ITRs). F3: Investment Workflow REQ3.1: Display key deal terms (Min Investment: ₹2 Lakh, Goal, Raised Amount). REQ3.2: Allow verified investors to input their desired investment amount. REQ3.3: Validate input amount against minimum (₹2 Lakh) and any maximum limits. REQ3.4: Display relevant investment documents (Term Sheet, PPM, Subscription Agreement) for review. REQ3.5: Integrate with an e-signature provider (legally valid in India, e.g., Aadhaar eSign). REQ3.6: Pre-fill Subscription Agreement with investor details and amount before sending for e-signature. REQ3.7: Track e-signature status (Sent, Viewed, Signed, Rejected). REQ3.8: Display clear payment instructions: Beneficiary Name, Account Number, IFSC, Bank Name, required reference code. (Should be an Escrow/Collection Account). REQ3.9: Allow users to confirm payment initiation and optionally upload proof/UTR. REQ3.10: Admin interface/process for reconciling payments against investments based on reference code and amount. REQ3.11: Update investment status based on signature and payment verification (e.g., Completed, Failed). REQ3.12: Notify user upon successful investment completion. F4: Basic Investor Dashboard REQ4.1: Allow logged-in, invested users to view their investment details (Amount, Status, Date). REQ4.2: Provide access to their signed Subscription Agreement. 4. Design & UX Guidelines Follow Kirana.pro branding guidelines. Ensure a clean, intuitive, and trustworthy user interface. Optimize for mobile and desktop browsers (Responsive Design). Provide clear feedback during multi-step processes (progress indicators). Use clear language, avoiding excessive jargon. Provide tooltips or help text for complex terms (e.g., IFSC, Accreditation). Ensure clear error messaging and guidance for correction. Prioritize accessibility (WCAG AA compliance). 5. Success Metrics Investor Conversion Rate (Invest Now click -> Completed Investment). KYC Approval Rate & Turnaround Time. User Drop-off Rate at each stage (Signup, KYC, E-sign, Payment). Total Funds Raised vs. Goal. User Satisfaction Score (if measured via survey). Support Ticket Volume related to the investment flow. 6. Release Criteria All features (F1-F4) implemented and tested. Successful E2E testing of the entire flow for different investor types (Individual, Entity, NRI - as applicable). Security audit passed. Compliance review completed and signed off by legal counsel. Admin panel fully functional for KYC review and payment reconciliation. All required legal documents finalized and integrated. Document 2: Web Application Process Flow This document details the step-by-step user journey and system actions. Pre-requisite: User is on the https://kirana.pro/invest page. User Action: Clicks "Invest Now". System Action: Check browser for valid authentication token. Branch: If Auth Token Valid: Proceed to Step 4. If Auth Token Invalid/Missing: Redirect to Login/Sign Up page (/auth?redirect=/invest/start). Proceed to Step 2. User Action (on /auth page): Chooses Sign Up or Login. System Action: Displays relevant form. If Login: User Action: Enters credentials (Email/Password or clicks Google). System Action: Validates credentials. On success, generates auth token, stores it, redirects to /invest/start. Proceed to Step 4. On failure, show error. If Sign Up: User Action: Enters Name, Email, Phone, Password. Agrees to T&C. Clicks "Sign Up". System Action: Validates input. Creates user record (inactive). Sends email verification link/OTP. User Action: Clicks verification link / Enters OTP. System Action: Activates user account. Logs user in (generates token). Redirects to /invest/start. Proceed to Step 3. User Action (on /invest/start or first step post-login): Selects Investor Type. System Action: Displays radio buttons/options: "Individual", "Entity". User Action: Selects an option. Clicks "Continue". System Action: Stores investor type preference. Proceeds to Step 4. System Action (on /invest/kyc-check or similar route): Check KYC Status for the logged-in user. Backend Query: SELECT kyc_status FROM KYCDetails WHERE user_id = ? Branch: If kyc_status == 'verified': Redirect to Investment Intent Page (/invest/details). Proceed to Step 6. If kyc_status == 'rejected': Display KYC rejection reason and link to restart KYC. Redirect to /invest/kyc/start. Proceed to Step 5. If kyc_status == 'pending': Display "KYC under review" message. Provide estimated timeline. Prevent further investment steps. If kyc_status == 'not_started' or no record: Redirect to /invest/kyc/start. Proceed to Step 5. User Action (on /invest/kyc/* multi-step form): Completes KYC. Screen 5.1 (Personal/Entity Info): User enters required data based on Investor Type (Individual/Entity). Clicks "Next". System validates & saves data. Screen 5.2 (Address Info): User enters address(es). Clicks "Next". System validates & saves data. Screen 5.3 (PAN/ID Proofs): User enters PAN, uploads PAN Card image. Uploads Address Proof image. System validates formats/size, saves files securely (S3), stores references. Screen 5.4 (Bank Details): User enters Account No, IFSC, Holder Name. Uploads proof. System validates, saves. (Optional Penny Drop trigger here). Screen 5.5 (Accreditation): User declares status / uploads proof based on requirements. System saves. Screen 5.6 (FATCA/CRS): User provides tax residency info. System saves. Screen 5.7 (Review & Submit): User reviews all entered info. Clicks "Submit for Verification". System Action: Updates kyc_status to pending. Sends notification to Admin. Sends confirmation email to user. Displays "KYC Submitted" message to user. User Action (on /invest/details): Enters Investment Amount. System Action: Displays deal info (Min ₹2 Lakh). Shows input field. User Action: Enters amount. System Action: Real-time validation (>= 200000). On valid input, enables "Continue". User Action: Clicks "Review & Sign". System Action: Creates Investment record with status = 'intent_created', stores amount. Redirects to /invest/documents. User Action (on /invest/documents): Reviews Documents. System Action: Displays links to view/download Term Sheet, PPM. Displays the Subscription Agreement prominently. User Action: Reviews documents. Clicks "Proceed to E-Sign". System Action: Calls Backend to initiate e-signature process. Updates Investment.status to esign_pending. Redirects user to E-sign provider / loads E-sign iframe. User Action (within E-sign Provider's Interface): Completes E-signature. System Action (E-sign Provider): Guides user through signing. Sends webhook to Kirana.pro backend on completion/rejection. System Action (Backend Webhook Listener): Receives webhook. Verifies signature. Updates Investment.status based on webhook (e.g., payment_pending if signed). Stores signed document URL. Redirects user (if applicable via E-sign config) or instructs frontend (via polling/websockets) to proceed to Payment page (/invest/payment). User Action (on /invest/payment): Views Payment Instructions. System Action: Displays Escrow/Collection Account details (Beneficiary, Acc No, IFSC) and the unique reference code (KPINVEST-<UserID>-<InvestmentID>). Instructs user to make NEFT/RTGS payment. User Action: Performs bank transfer offline. Returns to the page. Clicks "I have paid" / Optionally enters UTR and uploads proof. System Action: Updates Investment.status to payment_initiated or payment_pending_confirmation. Stores UTR/proof if provided. Sends notification to Admin/Finance for reconciliation. Displays "Payment confirmation pending" message. System Action (Backend/Admin): Reconciles Payment. Manual/Semi-Automated: Admin checks bank statement for transaction matching reference code & amount. Marks payment as verified in Admin Panel. System Action: Updates Investment.status to completed. Triggers confirmation email to investor. Updates 'Raised' amount. User Action: Visits Investor Dashboard (/dashboard/investments). System Action: Displays list of investments with status. Allows viewing details and downloading signed agreement for completed investments. Document 3: Frontend Workflow & Guidelines 1. Architecture & Technology Framework: React (or Vue.js/Angular - choose one consistently). State Management: Redux Toolkit (or Zustand/Context API for simpler cases). Use for managing global state like user authentication, KYC status, investment progress. Component-level state for forms. Routing: React Router. Styling: Styled Components / Tailwind CSS / Material UI (Choose one). Ensure consistency and responsiveness. API Communication: Axios (or Fetch API). Create dedicated API service modules/hooks for interacting with the backend. Use async/await syntax. Forms: React Hook Form (or Formik). Implement client-side validation. 2. Component Breakdown (Illustrative) <InvestFlowLayout>: Wrapper component handling overall layout, potentially including stepper/progress indicator. <AuthModule>: Contains <LoginForm>, <SignupForm>, Google Login button. Handles auth logic and redirects. <KYCStepper>: Manages the multi-step KYC form. <InvestorTypeSelector> <IndividualKYCForm> / <EntityKYCForm> (broken down further by section) <DocumentUploader>: Reusable component for file uploads (handles file type/size validation, upload progress, preview). <KYCReviewSubmit> <InvestmentDetailsForm>: Input for investment amount, displays deal terms. <DocumentViewer>: Displays links to static docs, embeds or links to agreement. <ESignIntegration>: Component to initiate e-sign flow (e.g., load iframe or redirect). Handles callbacks/status updates. <PaymentInstructions>: Displays bank details and reference code. Includes optional payment confirmation form. <InvestorDashboard>: Displays investment summary. 3. State Management Guidelines Global Store (Redux/Zustand): User object (id, name, email, kycStatus, investorType, token), active investment state (id, status, amount). Component State: Form data, UI states (loading, error, success), validation messages. API data should be fetched and potentially cached using libraries like React Query or RTK Query to simplify loading/error/caching states. 4. API Interaction Guidelines Centralize API calls in service files or custom hooks (e.g., useAuth, useKYC, useInvestment). Handle loading states gracefully (e.g., disable buttons, show spinners). Implement comprehensive error handling: Catch network errors. Handle API error responses (e.g., 4xx, 5xx). Display user-friendly error messages. Use specific messages where possible (e.g., "PAN validation failed", "Minimum investment is ₹2 Lakh"). Use authentication token (JWT) in Authorization headers for protected endpoints. Implement token refresh logic if applicable. 5. UI/UX Guidelines Responsiveness: Ensure usability across desktop, tablet, and mobile devices. Test thoroughly. Feedback: Provide immediate visual feedback for actions (button clicks, form submissions, uploads). Use toasts/snackbars for non-critical notifications (e.g., "KYC Submitted"). Progress Indication: Use steppers or progress bars for multi-step forms (KYC, Investment). Clarity: Use clear labels, instructions, and placeholder text. Define required fields clearly (*). Error Handling: Display validation errors next to relevant fields. Summarize errors at the top of the form on submission failure. Accessibility (WCAG AA): Use semantic HTML. Ensure keyboard navigability. Provide text alternatives for images (alt attributes). Use ARIA attributes where necessary (e.g., for custom components, live regions). Ensure sufficient color contrast. Test with screen readers. 6. Testing Unit Tests (Jest/React Testing Library): Test individual components and utility functions. Mock API calls and dependencies. Integration Tests (React Testing Library): Test interaction between components within a feature (e.g., form submission flow). End-to-End Tests (Cypress/Playwright): Simulate user journeys across the entire flow. Document 4: Backend Workflow & Guidelines 1. Architecture & Technology Framework: Node.js w/ Express (or Python w/ Django/Flask, Java w/ Spring Boot - Choose one). API Design: RESTful principles. Use standard HTTP verbs (GET, POST, PUT, DELETE). Design clear, resource-oriented URIs (e.g., /api/users, /api/kyc, /api/investments). Database: PostgreSQL (Recommended for relational data) or MySQL. Use an ORM like Sequelize/TypeORM (Node), Django ORM (Python), or Hibernate (Java) for database interactions. Authentication: JWT (JSON Web Tokens) for stateless authentication. Asynchronous Tasks: Use a message queue (RabbitMQ, Redis Queue, AWS SQS) for tasks like sending verification emails, processing documents (if needed), and potentially notifying reconciliation systems. Object Storage: AWS S3 / Google Cloud Storage for storing uploaded documents securely. 2. API Design Guidelines Versioning: Use API versioning (e.g., /api/v1/...). Request/Response Format: Use JSON for request bodies and responses. Status Codes: Use appropriate HTTP status codes (200 OK, 201 Created, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 500 Internal Server Error).   Error Responses: Standardize error response format (e.g., { "error": { "code": "VALIDATION_ERROR", "message": "Email is required.", "details": [...] } }). Middleware: Use middleware extensively for: Authentication checks. Input validation (using libraries like Joi, express-validator). Request logging. Error handling. Rate Limiting: Implement rate limiting on sensitive endpoints (login, OTP generation). 3. Business Logic Implementation Modularity: Structure code into logical modules (e.g., auth, users, kyc, investments, notifications, admin). Use a Service Layer pattern to encapsulate business logic, keeping controllers thin. Authentication: Hash passwords securely using bcrypt (configurable salt rounds). Generate secure JWTs with appropriate expiry. Include necessary claims (userId, role). Implement secure password reset flow (time-limited tokens). Validate OAuth tokens from providers (Google). KYC Logic: Implement state machine logic for KYC status transitions (not_started -> pending -> verified/rejected). Securely generate pre-signed URLs for document uploads directly to S3/GCS from the client, or handle uploads via the backend (ensure proper streaming and resource management). Store document references (URLs/keys) in the database, not the files themselves. Integrate with KYC verification APIs (See Section 6). Handle API responses and update status. Implement logic for Admin approval/rejection, including capturing rejection reasons. Investment Logic: Implement state machine for investment status transitions. Ensure valid transitions (e.g., cannot move to payment_pending before esign_complete). Validate investment amount against round rules (min/max). Generate unique reference codes for payments. Integrate with e-signature provider API (initiate signing, handle webhooks). Store signed document securely. Implement payment reconciliation logic (manual flag update via Admin API, or automated via banking API/webhook). Database: Define clear schemas with appropriate data types, constraints (NOT NULL, UNIQUE), and indexes (on foreign keys, frequently queried columns). Use transactions for operations involving multiple table updates (e.g., creating investment record, updating status). Asynchronous Tasks: Offload email/SMS sending to a background queue worker. If KYC verification involves slow third-party APIs, consider processing them asynchronously. 4. Security (See also Document 5) Implement all security guidelines mentioned in Document 5. Perform authorization checks at the beginning of every protected API handler (ensure user can access/modify the requested resource). Sanitize all external input to prevent injection attacks (SQLi, XSS). Use ORM features for SQLi prevention. Protect against CSRF if using cookie-based sessions (though JWT in headers is generally preferred for SPAs). 5. Logging & Monitoring Implement structured logging (e.g., JSON format). Log key events, errors, and API requests/responses (excluding sensitive data). Use logging levels appropriately (INFO, WARN, ERROR). Integrate with monitoring tools (e.g., Datadog, New Relic, Prometheus/Grafana) to track application performance, error rates, and resource usage. 6. Testing Unit Tests (Jest, Pytest, JUnit): Test individual functions, services, and controllers in isolation. Mock dependencies (database, external APIs). Aim for high code coverage. Integration Tests: Test interactions between different modules (e.g., API endpoint -> service -> database). Use an in-memory database or a dedicated test database. API Tests (Postman/Newman, Supertest): Test API endpoints directly for contracts (request/response format, status codes). Document 5: Security Guidelines 1. OWASP Top 10 Mitigation A01: Broken Access Control: Enforce authentication on all private endpoints. Implement robust authorization checks based on user roles and ownership (e.g., user can only access their own KYC data, admin roles for verification). Deny by default. Validate JWT signature and claims on every request to protected endpoints. A02: Cryptographic Failures: Enforce HTTPS (TLS 1.2+) everywhere. Configure HSTS header. Hash passwords using bcrypt with a sufficient work factor. Do not store passwords in plaintext. Encrypt sensitive data at rest (e.g., API keys for third parties, potentially certain PII fields if required by policy) using strong algorithms (AES-256). Do not log sensitive data (passwords, full KYC details, API keys, tokens). A03: Injection: Use parameterized queries or ORMs to prevent SQL Injection. Validate and sanitize all user input (request bodies, query params, headers) to prevent OS command injection, NoSQL injection, etc. Encode output appropriately to prevent Cross-Site Scripting (XSS). Rely on frontend framework's built-in XSS protection but validate on backend too. Set Content-Security-Policy header. A04: Insecure Design: (Covered by overall secure development lifecycle) A05: Security Misconfiguration: Harden server configurations (disable directory listing, remove default accounts/passwords, update regularly). Configure security headers (CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy). Restrict CORS policies to known frontend origins. Keep frameworks and libraries up-to-date. Remove unused dependencies. Configure cloud storage (S3/GCS) buckets securely (private by default, use pre-signed URLs for limited access). A06: Vulnerable and Outdated Components: Use dependency scanning tools (npm audit, Snyk, OWASP Dependency-Check) regularly and patch vulnerabilities promptly. A07: Identification and Authentication Failures: Implement secure password policies (length, complexity - though NIST guidelines are evolving). Implement rate limiting and account lockout mechanisms against brute-force attacks. Use secure session management (JWT with short expiry, HTTPS only). Invalidate tokens on logout/password change. Implement multi-factor authentication (MFA) if required, especially for admin access. A08: Software and Data Integrity Failures: Verify integrity of software updates and dependencies. Protect against CSRF if using cookie-based sessions (e.g., use anti-CSRF tokens). JWT in headers generally mitigates this for SPAs. Ensure integrity of data during transit (HTTPS) and at rest (checksums if needed). A09: Security Logging and Monitoring Failures: Implement comprehensive logging of security-relevant events (logins, failures, access control decisions, admin actions). Ensure logs are protected from tampering and accessible for monitoring/auditing. Set up alerts for critical security events. A10: Server-Side Request Forgery (SSRF): If fetching resources based on user-provided URLs (e.g., webhooks), validate URLs against an allow-list or ensure they resolve to expected internal/external services. 2. Data Privacy & Compliance (India) Comply with the Digital Personal Data Protection Act (DPDPA) 2023: Obtain clear consent, process data only for specified purposes, implement security safeguards, handle data breach reporting. Adhere to SEBI guidelines regarding investor data collection, retention, and reporting for the specific type of offering. Follow RBI guidelines if dealing with payments or regulated entities. Use Aadhaar information only as legally permitted (e.g., for e-signature if using Aadhaar eSign via a licensed provider). Do not store Aadhaar numbers unless explicitly required and permitted by law for the specific purpose. 3. Secure Development Practices Principle of Least Privilege: Users and processes should only have the permissions necessary to perform their tasks. Input Validation: Validate data type, length, format, and range for all external input. Output Encoding: Encode data correctly for the context (HTML, JS, SQL). Secure Error Handling: Do not reveal sensitive information (stack traces, internal paths) in error messages to users. Secrets Management: Store API keys, database credentials, JWT secrets securely (e.g., environment variables, dedicated secrets manager like AWS Secrets Manager, HashiCorp Vault). Do not commit secrets to code repositories. Code Reviews: Conduct security-focused code reviews. Regular Security Testing: Perform vulnerability scanning and penetration testing. Document 6: 3rd Party Integrations 1. KYC Verification Services (India) Vendors: IDfy, Karza Technologies, Signzy, HyperVerge, AuthBridge. Services: PAN Verification (via NSDL API) Bank Account Verification (Penny Drop) Aadhaar Verification (Offline XML, eKYC - requires specific licenses/permissions) Voter ID / Driving License / Passport Verification (OCR + verification against databases) AML Checks (screening against sanction lists) Integration Points: Backend API calls to submit KYC data (PAN number, Account details, etc.). Receive verification results (Success/Failure, Verified Name/Details) via API response or webhook. Selection Criteria: Accuracy, speed, coverage, API reliability, pricing, compliance with Indian regulations (data localization, privacy). Data Exchange: Send necessary identifiers (PAN, Account No). Receive verification status and potentially verified data points. Ensure secure API communication (HTTPS, API Keys/Tokens). 2. E-Signature Services (India) Vendors: DigiO, Leegality, eMudhra, SignDesk. Services: Aadhaar eSign (requires OTP verification linked to Aadhaar), Document Signing Workflow (sending, tracking, completion), Signed Document retrieval. Integration Points: Backend API call to initiate signing request (upload document/template ID, specify signer details - email/phone, redirect URL). Embed signing interface (iframe) or redirect user to provider's page. Webhook receiver on backend to get status updates (Sent, Viewed, Signed, Rejected). API call to download the signed document. Selection Criteria: Legal validity in India (CCA certified), ease of integration, user experience, reliability, pricing, audit trails. Data Exchange: Send document to be signed, signer details. Receive status updates and signed document (PDF). 3. Payment Reconciliation Option A: Manual / Semi-Automated: Process: Display bank details. User pays via NEFT/RTGS. Finance team manually checks bank statement using provided reference code. Admin marks payment as verified via Admin Panel API call. Pros: Simple to implement initially. Cons: Slow, error-prone, labor-intensive, doesn't scale well. Option B: Banking APIs / Payment Service Providers (PSPs): Vendors: RazorpayX (Payouts/Smart Collect), Cashfree (Payouts/Virtual Accounts), Bank APIs (if available). Services: Virtual Accounts (unique account number per investor/investment for auto-reconciliation), API access to check balances/transactions, Webhooks for incoming payments. Integration Points: API call to create a Virtual Account for an investment. Display these details to the user. Webhook receiver on backend to get notified of incoming payments to virtual accounts. Backend logic to match webhook data (amount, virtual account ID) to investment record and update status. Selection Criteria: Reconciliation accuracy, ease of integration, webhook reliability, reporting features, transaction fees, settlement times. Data Exchange: Send investment details to create virtual account. Receive payment notifications via webhook. 4. Email/SMS Notifications Vendors: SendGrid, AWS SES, Twilio (for SMS), MSG91 (India). Services: Transactional Email/SMS delivery. Integration Points: Backend API calls to send emails/SMS for verification, status updates, confirmations. Use templates. Selection Criteria: Deliverability rates, reliability, API ease of use, pricing, analytics. Data Exchange: Send recipient address/number and message content. 5. Cloud Object Storage Vendors: AWS S3, Google Cloud Storage (GCS), Azure Blob Storage. Services: Secure, scalable storage for user-uploaded documents (KYC proofs, signed agreements). Integration Points: Backend generates pre-signed URLs for client-side uploads (recommended for security and performance). Backend stores object keys/URLs in database. Backend generates pre-signed URLs for downloading documents securely. Selection Criteria: Durability, availability, security features (encryption, access controls), pricing, integration with hosting platform. General Integration Guidelines: Error Handling: Implement robust error handling and retry mechanisms for API calls to third parties. Secrets Management: Securely store API keys/credentials. Rate Limiting: Be aware of and respect API rate limits imposed by third-party providers. Data Privacy: Ensure data shared with third parties complies with your privacy policy and relevant regulations (DPDPA). Sign Data Processing Agreements (DPAs) where necessary. Monitoring: Monitor the performance and availability of third-party integrations.