Page 1 of 1

Data Management Policy

1. Purpose

This policy defines the various security measures taken by with respect to customers data.

2. Scope and Applicability

This policy will apply to any and all data pertaining to any customer that is used by any of the IT systems at end.

3. Execution Responsibilities

3.1. IT team is responsible for ensuring the execution of the policy

3.2. Information Security Manager (ISM) is responsible to ensure compliance with the policy

4. Data Management Policy

4.1 Access to Data

4.1.1. Records protected from loss, destruction, falsification, unauthorized access, and unauthorized release in accordance with legislative, regulatory, contractual, and business requirements.

4.1.2. There is no unauthorized use by any other third party including, but not limited to, any of its group companies, subsidiaries, affiliates, or associates in violation of the provision of specific regulations followed at or other applicable laws.

4.1.3. Information is shared with employees at or agents on a “need to know basis” only while ensuring that such employees or agents with access to the said information are subjected to the obligation of confidentiality.

4.1.4. Do you have a plan for controlling access of data?

4.2 Data categorisation

4.2.1. Do you have a data categorisation plan at ?

4.3 Data backups

4.3.1. Detail information processing facilities implemented with redundancies sufficient to meet availability requirements.

4.3.2 Data backups are made frequently and stored offline/online with encryption for the prevention of data loss.

4.3.2 What is the data backup plan ?

4.4 Data used for testing

Ensuring the protection of data used for testing

4.4.1. What is the procedure for protection of data used for testing?

4.5 Data usage policy

The client shall use collected data solely for limited end-use as agreed with the individual and shall not use or sell or resell or pass on information to any other person or engage itself in obtaining data other than that for the consented purpose.

4.5.1. Do you have a data usage policy?

4.6 User consent policy

User consent policy includes “Individual Consent”. Individual Consent means the prior written consent of the individual by any documented means (stored as an electronic or physical record) is verifiable from time to time and permanent in nature.

4.6.1 What is your user consent policy?

4.7 Data storage policy

4.7.1 What is the data storage policy established at ?

4.8 Data encryption policy

Data encryption policy should include the following:

a. Methods of data encryption at rest.

b. Methods of data encryption in transit.

4.8.1 What is the data encryption policy established at ?

5. Exceptions

Exceptions shall not be universal but shall be agreed upon on a case-to-case basis, upon official request made by the information owner. These may arise, for example, because of local circumstances, conditions, or legal reasons existing at any point in time.

All exception requests shall be submitted to These shall be submitted through an email and to be approved

6. Disclaimer

reserve all rights and are the exclusive owner of all intellectual property rights over this Policy document. This document shall not, either in part or in full, be reproduced, published, copied, displayed, distributed, transferred, stored in any media (such as hard disks, USB Drives, Pen Drives, Memory Cards, CDs, DVDs), and/or captured or transmitted through by any means (such as electronic, digital, mechanical, photocopying, recordings, video and film or photographs and otherwise) by any person without prior consent from the ISM. This Policy and procedure document is available with ISM and/or any other forum as decided by the management of . Anything not specifically stated in this Policy and procedure document shall not be considered as implied in any manner.

For any clarifications related to this Compliance Policy and procedure document with respect to its interpretation, applicability, and implementation, please write to the ISMS team. At dpo@..com

7. Enforcement

7.1. This policy and procedure is applicable to all the employees of the company who have access to and use the information assets and IT assets as listed in the Information Asset register which has been created for

7.2. Anyone found to have violated this policy will be subject to a process that will determine if the violation is just a process non-compliance issue that requires addressing or also includes ethical violations In the event of only the former, non-compliance could be issued by an internal auditor which would require corrective/preventive actions.

7.3. In the event of the latter, the ethical/regulatory concern process will be invoked to decide whether an ethical/security violation has occurred and to decide on appropriate disciplinary actions as per the Disciplinary procedure of

7.4. Management’s interpretation of the clauses in this procedure shall be final and binding. Management reserves the right to alter or amend any clause in this document at any time as per its discretion.