Data Protection and Security

Access to information assets shall be granted based on the principle of least privilege, ensuring that users have access only to the resources necessary to perform their duties.

User access rights shall be reviewed periodically and adjusted based on the principle of need-to-know.

User access credentials, including passwords, shall be protected and stored securely.

Strong authentication mechanisms, such as two-factor authentication, shall be used for accessing sensitive systems and data.

User access requests shall be approved by authorized personnel based on documented authorization procedures.

The Company shall comply with reasonable security measures at minimum those mandated under data protection laws viz., Information Technology Act and Sensitive Data Information Rule to protect the privacy of personal and sensitive information.

Data subjects shall be informed about their personal data's purpose, collection, use, and retention.

Regular data backups shall be performed to ensure the availability and recoverability of critical systems and data.

Backup media shall be stored securely, both onsite and offsite, to prevent unauthorized access or damage.

The Company shall establish data retention policies to ensure that data is retained for the required period based on legal, regulatory, and business requirements.

No longer required data shall be securely disposed of using approved methods.

Employees and contractors shall promptly report any suspected or confirmed security incidents to the designated incident response team.

Incident reporting channels and procedures shall be communicated to all personnel.

The Company shall maintain an incident response plan to address security incidents promptly and effectively.

The incident response plan shall include procedures for containment, eradication, recovery, and post-incident analysis.

Access to the Company's premises, data centers, and sensitive areas shall be restricted and controlled through physical access control measures, such as locks, access cards, and surveillance systems.

Visitors shall be escorted and supervised while on the Company's premises.

Company-owned equipment, including computers, laptops, and mobile devices, shall be protected against theft, loss, and unauthorized access by internal security measures such as stringent security in the Company’s premises, including 24-hour surveillance, access control, etc.

Portable storage media, such as USB drives, shall be encrypted to protect the data stored on them.

The Company shall provide security awareness and training programs to all personnel to promote a culture of security.

Employees shall be trained on security policies, procedures, and best practices to mitigate risks and protect information assets.

The Company shall regularly monitor, assess, and audit its security controls to ensure compliance with this security policy, applicable laws, regulations, and contractual obligations.

Non-compliance or security breaches shall be addressed promptly, and appropriate corrective actions shall be taken.