Skip to content Skip to footer
Need Help ?
Onboarding
Onboarding
Need Help ?
Onboarding
Get Started
Get Started
Get Started
Close

Effective Date: 01 July 2025

At the Company (“we,” “our,” or “us”), we are fully committed to ensuring the confidentiality, integrity, and availability of all data processed, transmitted, or stored through our platform. This Data Security Policy outlines our approach to safeguarding sensitive client, partner, and user data through robust technical, organizational, and administrative security controls.

  1. Purpose

This policy establishes a secure framework to:

  • Prevent unauthorized access, misuse, disclosure, alteration, or destruction of data

  • Ensure compliance with Indian cybersecurity laws and global best practices

  • Define the responsibilities and expectations for all users and stakeholders accessing our systems

  • Support business continuity, disaster recovery, and information integrity

  1. Scope

This policy applies to:

  • All digital data (including personal, financial, and transactional data) collected, stored, or processed via our website, APIs, servers, mobile apps, and partner services

  • All employees, third-party vendors, contractors, and consultants who interact with our systems and data

  1. Data Security Measures
    a. Data Encryption

  • In Transit: All data is transmitted using TLS 1.2 or higher encryption protocols to prevent interception during communication.

  • At Rest: Sensitive data such as PII, API keys, and banking details are encrypted using AES-256 or equivalent industry standards.

b. Access Control

  • Role-Based Access Control (RBAC) ensures that access rights are assigned based on job roles and responsibilities

  • All internal system access is protected by Multi-Factor Authentication (MFA)

  • Session timeouts and IP whitelisting are applied where applicable

c. Regular Audits and Testing

  • Quarterly security audits are conducted to assess vulnerabilities

  • Third-party penetration testing is carried out by certified cybersecurity experts

  • Compliance checks are aligned with ISO 27001, RBI’s IT guidelines, and relevant regulations

d. Data Masking & Anonymization

  • Wherever feasible, sensitive data is masked or anonymized during non-production usage or analytics

  • Pseudonymization techniques are applied in test environments

e. Secure API Integration

  • Unique, client-specific API keys are issued

  • Strict rate limiting, token validation, and activity monitoring are in place

  • APIs are monitored for anomalies using behavior-based detection

  1. Incident Response Protocol
    a. Reporting Security Incidents

  • All team members, including contractors, must report any suspected or confirmed security breach immediately

  • A dedicated Incident Response Team (IRT) monitors and handles such events

b. Response Lifecycle

  • Identification: Detection and validation of a potential incident

  • Containment: Isolating affected systems to minimize impact

  • Investigation: Root cause analysis and audit trail review

  • Remediation: Applying patches, configuration changes, or data recovery

  • Notification: Informing affected clients and relevant authorities as per legal and regulatory requirements

  1. Data Retention & Disposal

  • Data is retained only as long as legally required or necessary for business operations

  • Upon expiry, data is destroyed using secure deletion protocols such as cryptographic wipe or physical destruction for hardware

  • Retention schedules align with industry and regulatory standards

  1. Legal & Regulatory Compliance
    We are committed to full compliance with:

  • The Information Technology Act, 2000 and associated data security rules

  • RBI’s Cybersecurity Framework for Payment Systems and NBFCs

  • Industry standards such as ISO/IEC 27001:2022, SOC 2 Type II (if applicable), and GDPR (for international clients)

  1. Employee and Contractor Responsibilities

  • All personnel undergo annual security training and awareness programs

  • Access to sensitive data is restricted to vetted individuals who have passed mandatory background checks

  • Contractors must sign confidentiality agreements before access is granted

  1. Third-Party Risk Management

  • We evaluate all vendors, payment partners, and third-party services for data security compliance

  • Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs) are executed before integration

  • Regular vendor audits are performed to assess risk posture

  1. Continuous Monitoring & Reporting

  • Our systems are monitored in real time using SIEM (Security Information and Event Management) solutions

  • All logs are securely stored and reviewed for suspicious activity

  • Monthly security posture reports are generated for internal review and compliance tracking

  1. Policy Review
    This policy is:

  • Reviewed annually, or

  • Updated immediately upon changes in legal requirements, industry practices, or service offerings

The updated version will reflect a new “Effective Date” and will be available on our website.

  1. Contact Us
    For inquiries, security concerns, or to report a suspected data issue, please contact:

Level 5, ITPL Main Rd, Devasandra Industrial
Bengaluru, Karnataka 560048
Email: cbdo@dotpe.co
Phone: +44 7563 009191