Talk to the founder
Open this page, then print to PDF.
← Back to Lokta Core
CONFIDENTIAL · RFP PACKAGE · VOL. 01 · 2026 Q2

Lokta Core
RFP Package

Loan Management System for the agentic era. Capability matrix, security posture, deployment options, integration approach, architecture, and a response template — in one printable document.

FILED
2026 · Q2
FROM
Lokta.ai · Founders' team
FOR
_____________________________
STATUS
Enterprise-ready · deployable under engagement
02

Executive Summary

Agentic workflows in lending generate 5–10× more tool calls per account than human-driven operations. Legacy LMS rails are not built for that load. Lokta Core is the rebuild — a polylithic LMS on Java 25 + Spring Boot 4, designed so that agents are something you enable, not bolt onto a system that wasn't designed for them.

What ships in the platform

A schema-per-tenant Postgres core with Keycloak IAM, maker-checker, cross-module structured audit, field-level PII encryption with key versioning, and a configuration-driven loan-product engine that composes currency × frequency × interest method × charges × arrears × precision × allocation. Full lifecycle from origination through servicing, arrears, restructure, write-off, and asset classification (STANDARD / SUB_STANDARD / DOUBTFUL / LOSS).

Delivered with deployment

KYC, credit bureau, payment gateway, core-banking bridge, accounting connectors, SMS / email, and the AI / agent surface. These are sequenced to your priorities at engagement time — the founder commits to a delivery window in the RFP response. Detailed timeline and partner ecosystem available under NDA.

What we want from this RFP

We are not chasing every RFP — we are looking for two or three co-design partners who want modern lending rails and are willing to shape the integration sequencing with us. If that is you, this document is the long-form answer to "what does Lokta Core actually ship, and how does it compare?"

03

Capability Matrix

The capabilities a lender can rely on the platform to provide today.

  • Architecture

    • Polylithic Gradle modules · single Spring Boot deployable
    • OpenAPI 3.1 spec generated from controllers
    • Header-based API versioning (api-version: 1|2)
    • Liquibase change management across every module
    • jOOQ + JPA dual access (compile-time SQL safety + ORM ergonomics)

  • Multi-tenancy

    • Schema-per-tenant Postgres isolation
    • Shared Keycloak realm mode (lower-cost tenants)
    • Dedicated Keycloak realm mode (regulated tenants)
    • Per-tenant numbering, code values, and configuration

  • Identity & governance

    • Keycloak IAM — OIDC / OAuth2 native
    • RBAC with permission groups
    • OrgUnit hierarchy with tree operations
    • Maker-checker workflow with explicit ChangeRequest lifecycle
    • Cross-module structured audit trail
    • Field-level PII encryption with key versioning

  • Loan product assembly

    • Multi-currency (ISO 4217)
    • Repayment frequency (RRULE — DAILY / WEEKLY / MONTHLY / YEARLY)
    • Interest method — FLAT, DECLINING, FLAT_TO_DECLINING
    • Charges engine with per-loan and per-product binding
    • Arrears configuration (DPD bands, grace, recovery rules)
    • Precision rules (rounding, currency display)
    • Repayment allocation strategy (excess handling)

  • Loan lifecycle

    • Lifecycle states — SUBMITTED → APPROVED → ACTIVE → CLOSED / WRITTEN_OFF
    • Disbursement (full + partial)
    • EMI schedule generation with moratorium support
    • Restructuring & moratorium configuration
    • Write-off lifecycle (FULL, PRUDENTIAL)
    • Asset classification — STANDARD / SUB_STANDARD / DOUBTFUL / LOSS, configurable DPD thresholds

UNDER NDA Integrations and AI / agent surface delivered with deployment, sequenced to your priorities. Detailed timeline and partner ecosystem available under NDA.

04

Security & Compliance Posture

  • Identity — Keycloak (OIDC / OAuth2). RBAC with permission groups. OrgUnit hierarchy. Service-principal support for backend integrations.
  • Authorization — Maker-checker workflow with explicit ChangeRequest lifecycle. Field-level decryption guarded by authorization context.
  • Audit — Cross-module structured audit trail. Every mutation captured with actor, action, evidence, before / after.
  • Data isolation — Schema-per-tenant Postgres. Tenant context enforced at the connection level, not just the application layer.
  • PII protection — Field-level encryption with key versioning. Keys rotated without re-encrypting historical ciphertext.
  • Transport — TLS termination at the deployment edge. mTLS support for service-to-service where required.
05

Deployment Options

Same binary across all three. You choose data residency. We ship modules; you operate one Spring Boot deployable.

ON-PREM

Your data centre, your operators.

Single Spring Boot deployable on Linux + PostgreSQL. Ship through your existing change-management. Lokta provides the binary, you operate it. Suitable for regulated lenders with hard data-residency rules.

SINGLE-TENANT CLOUD

Dedicated VPC, managed by Lokta.

Single-tenant deployment in your chosen cloud + region. Lokta operates the runtime; you retain full data and audit visibility. Suitable for fast time-to-launch without giving up isolation.

VPC

Inside your cloud account.

Same binary deployed inside your VPC, with peering to your existing services. Network egress and data residency stay within your boundary. Lokta provides operational support; you own the cloud bill.

Data residency. Per-tenant deployment topology means tenants pin to a specific region. Cross-border lenders run separate deployments per residency boundary.

06

Integration Approach

  • API surface — in the platform

    OpenAPI 3.1 spec generated from controllers. Header-based versioning means new versions ship without breaking existing clients.

  • Eventing — in the platform

    Audit trail captures every mutation today. Broader internal event-bus and external webhook fan-out are delivered with deployment.

  • KYC, credit bureau, payment gateway — delivered with deployment

    Integration adapters are sequenced to your priorities and delivered as part of the engagement. The founder commits to a delivery window in the RFP response.

  • Core banking bridge — delivered with deployment

    Bidirectional sync to existing core banking systems is scoped per integration. Lokta Core can run as the system of record or as a satellite, depending on your topology.

  • Accounting connectors — delivered with deployment

    Internal GL is in the platform today (lokta-accounting module). External connectors to enterprise accounting systems are delivered as part of the engagement.

  • SMS / email — delivered with deployment

    Outbound notification adapters are delivered with deployment. Today, audit events and lifecycle transitions emit to the audit trail; downstream notification can be wired in alongside.

07

Architecture & Technology

FIG. 01

Java 25 · Spring Boot 4

Long-term stability, modern language features.

FIG. 02

PostgreSQL

Schema-per-tenant. Proven at scale.

FIG. 03

Keycloak

OIDC / OAuth2 native. Dual-mode realms — shared or dedicated.

FIG. 04

Liquibase

Declarative, reviewable schema migrations across every module.

FIG. 05

jOOQ + JPA

Compile-time SQL safety where it matters; JPA where it is natural.

FIG. 06

OpenAPI 3.1

Header versioning (api-version: 1|2). No breaking changes ever forced.

Polylithic module list

17 modules deployed as one Spring Boot binary. Each module owns its domain, schema migrations (Liquibase), and API surface (OpenAPI 3.1).

  • lokta-core
  • lokta-customer
  • lokta-party
  • lokta-tenant
  • lokta-identity-core
  • lokta-user-management
  • lokta-authorization-engine
  • lokta-maker-checker
  • lokta-loan-product
  • lokta-loan-account
  • lokta-loan-participant
  • lokta-charge
  • lokta-accounting
  • lokta-numbering
  • lokta-code-values
  • lokta-opr
  • lokta-dashboard
08

RFP Response Template

The structure we will use to respond to your RFP. Procurement teams can pre-fill scope and requirements against these headings.

  1. 01

    Capability response

    Map each requirement in your RFP to a row in our capability matrix. Mark in-the-platform, ready-to-ship, or out-of-scope.

  2. 02

    Reference architecture

    Lokta Core deployment topology recommended for your operating profile. Network, identity, data residency.

  3. 03

    Implementation plan

    Phased delivery — discovery, integration, pilot, scale. Owner per phase. Critical-path dependencies.

  4. 04

    Pricing

    License model and per-engagement commercials. To be filled at proposal time.

  5. 05

    Commercials

    Payment milestones, support tiers, escalation, and renewal terms.

  6. 06

    Risks

    Honest read on the dependencies and sequencing risks that touch your scope, and the mitigations we propose.

A

Appendix A — Lokta Core vs Apache Fineract

We helped build Apache Fineract. We respect what it is. The architectural diff for the agentic era:

CONCESSION

Fineract leads on community size, breadth of installed base, regulator familiarity in 30+ countries, accounting depth, and savings / microfinance feature surface.

Dimension Apache Fineract Lokta Core
Architecture style Modular monolith on JVM Polylithic Gradle modules, single Spring Boot deployable
Runtime Java 17, Spring Boot 3.x Java 25, Spring Boot 4
Multi-tenancy Schema-per-tenant Schema-per-tenant + dual IAM modes (shared / dedicated realm)
Identity Custom RBAC Keycloak (OIDC / OAuth2 native) + RBAC + permission groups + OrgUnit hierarchy
API contract REST + generated swagger OpenAPI 3.1 + header versioning (api-version: 1|2)
Schema migrations Mixed Liquibase across all modules
Data access MyBatis + JPA jOOQ + JPA (compile-time SQL safety where it matters)
Maker-checker Per-action config Workflow-grade, audit-trailed
Audit trail Per-table audit Cross-module structured audit
PII protection Field-level encryption Field-level encryption + key versioning
Product assembly Loan product templates Composable: currency × frequency × interest method × charges × arrears × precision × allocation
Asset classification DPD-based Configurable DPD thresholds + explicit STANDARD / SUB_STANDARD / DOUBTFUL / LOSS lifecycle
Agent-ready surface Not designed for it Canonical model + governed APIs + identity-for-agents primitives
Eventing Polling / batch Designed-in events catalogue. Audit-trail eventing in the platform; extended event-bus + webhook fan-out available with deployment

Fineract is the right fit when you need broad installed-base familiarity and a community-supported codebase you can fork. Lokta Core is built for lenders whose next-decade question is — can agents safely operate this book?

B

Appendix B — Glossary

DPD
Days Past Due — the number of days a loan has missed contractual payment.
NPA
Non-Performing Asset — a loan whose interest or principal has remained overdue beyond the regulator-defined threshold.
EMI
Equated Monthly Instalment — the fixed periodic payment that amortises principal + interest over the loan tenor.
NACH
National Automated Clearing House — India's direct-debit / credit network used for recurring loan instalments.
OIDC
OpenID Connect — the identity layer on top of OAuth 2.0 used by Keycloak and most modern IAM stacks.
OpenAPI 3.1
Industry-standard schema for describing HTTP APIs. Lokta generates it from controller annotations.
RBAC
Role-Based Access Control — permissions assigned to roles, roles assigned to users.
RRULE
Recurrence Rule (RFC 5545). Lokta uses RRULE to define repayment frequency.
Schema-per-tenant
Each tenant gets a dedicated Postgres schema. Tenant boundaries are enforced at the database level, not just the application.
VPC
Virtual Private Cloud — an isolated network segment inside a public cloud account.
C

Appendix C — Change Log

VersionDateNotes
Vol. 012026-Q2Initial RFP package — Lokta Core, enterprise-ready and deployed under engagement.

Ready to talk?

If this matches what you are evaluating, the next step is a conversation about your stack, your timeline, and what a co-design partnership looks like.

Talk to a founder → ← Back to Lokta Core