Data Security Policy

1. Introduction and Purpose

This Information Security Policy and Data Security Policy (“Policy”) has been formulated by Vriyox in compliance with Rule 8 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, under the Information Technology Act, 2000.

This Policy outlines the security practices, procedures, and controls implemented by Vriyox to protect all information assets, including Personal Information, Sensitive Personal Data or Information (SPDI), business data, intellectual property, and technical infrastructure.

Scope

This Policy applies to:

• All employees, contractors, consultants, and third-party service providers of Vriyox
• All information systems, networks, devices, and data repositories owned or operated by Vriyox
• All Personal Information and SPDI collected, processed, stored, or transmitted by Vriyox
• All physical and digital assets of the organization

Objectives

The primary objectives of this Policy are to:

• Ensure confidentiality, integrity, and availability of information assets
• Protect Personal Information and SPDI from unauthorized access, disclosure, alteration, or destruction
• Comply with applicable laws including IT Act 2000, IT Rules 2011, and other regulatory requirements
• Establish accountability and responsibility for information security
• Minimize security risks and prevent security incidents
• Ensure business continuity and disaster recovery capabilities

2. Legal and Regulatory Compliance

Vriyox is committed to complying with all applicable information security laws and regulations in India, including but not limited to:

• Information Technology Act, 2000
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
• Indian Contract Act, 1872
• Copyright Act, 1957
• Any other applicable sectoral regulations

This Policy shall be reviewed and updated periodically to ensure continued compliance with evolving legal requirements, including the Digital Personal Data Protection Act when enacted.

3. Definitions

For the purposes of this Policy:

“Sensitive Personal Data or Information (SPDI)” means personal information relating to:

• Passwords
• Financial information such as bank account, credit card, debit card, or other payment instrument details
• Physical, physiological and mental health condition
• Sexual orientation
• Medical records and history
• Biometric information
• Any detail relating to the above as provided to Vriyox for providing services
• Any information received by Vriyox for processing, stored or processed under lawful contract or otherwise

“Personal Information” means any information that relates to a natural person, which either directly or indirectly, in combination with other information available, is capable of identifying such person.

“Information Asset” means any data, information, or knowledge that has value to Vriyox, including but not limited to customer data, employee records, business plans, source code, databases, and intellectual property.

“Security Incident” means any event that could result in unauthorized access, disclosure, modification, or destruction of information assets, or disruption of business operations.

“Authorized Personnel” means employees, contractors, or third parties who have been granted access to information assets for legitimate business purposes.

4. Roles and Responsibilities

4.1 Management Responsibility

The management of Vriyox is responsible for:

• Approving and endorsing this Information Security Policy
• Allocating adequate resources for information security
• Ensuring compliance with this Policy across the organization
• Reviewing the Policy annually or when significant changes occur
• Establishing a security-conscious organizational culture

4.2 Information Security Officer / Grievance Officer

Vriyox has designated an Information Security Officer who is responsible for:

• Overseeing implementation and enforcement of this Policy
• Monitoring compliance with security controls
• Coordinating security incident response
• Managing security awareness and training programs
• Conducting periodic security audits and risk assessments
• Serving as the point of contact for security-related matters
• Reporting security status to management

Contact Details:

• Email: info@vriyox.com
• Website: https://vriyox.com

4.3 All Employees and Personnel

All employees, contractors, and authorized personnel are responsible for:

• Reading, understanding, and complying with this Policy
• Protecting information assets entrusted to them
• Reporting security incidents or vulnerabilities immediately
• Attending mandatory security awareness training
• Using strong passwords and safeguarding authentication credentials
• Not sharing access credentials with unauthorized persons
• Following secure practices in handling customer and business data

4.4 Third-Party Service Providers

Third-party vendors and service providers who access Vriyox’s information assets must:

• Sign Non-Disclosure Agreements (NDAs) and Data Processing Agreements
• Comply with this Policy and applicable security requirements
• Implement adequate security controls for data protection
• Report security incidents promptly
• Submit to security audits as required by Vriyox

5. Information Classification and Handling

5.1 Data Classification

All information assets shall be classified based on sensitivity and criticality:

Confidential (High Sensitivity):

• SPDI including passwords, financial information, health records
• Customer Personal Information
• Business strategies, financial records, trade secrets
• Source code, proprietary algorithms
• Legal documents, contracts

Internal (Medium Sensitivity):

• Internal communications and correspondence
• Employee information (non-SPDI)
• Operational procedures and policies
• Project documentation

Public (Low Sensitivity):

• Published marketing materials
• Public website content
• Press releases and public announcements

5.2 Handling Requirements

Confidential Data:

• Must be encrypted during storage and transmission
• Access restricted on need-to-know basis
• Requires authentication and authorization
• Cannot be shared externally without proper authorization
• Must be securely disposed when no longer needed

Internal Data:

• Access limited to employees and authorized personnel
• Should not be shared publicly
• Basic access controls required

Public Data:

• Can be freely shared
• No special protection required

6. Technical Security Controls

6.1 Access Control

Vriyox implements the following access control measures:

• User Authentication: All users must authenticate using unique credentials (username and password)
• Strong Password Policy: Passwords must be minimum 8 characters with complexity requirements (uppercase, lowercase, numbers, special characters)
• Multi-Factor Authentication (MFA): Enabled for accessing critical systems and SPDI
• Role-Based Access Control (RBAC): Access rights granted based on job roles and least privilege principle
• Access Reviews: Periodic review of user access rights and prompt revocation when no longer required
• Account Lockout: Automatic account lockout after multiple failed login attempts
• Session Management: Automatic session timeout for inactive users

6.2 Network Security

• Firewalls: Network firewalls configured to restrict unauthorized access
• Intrusion Detection/Prevention Systems (IDS/IPS): Monitoring for suspicious network activity
• Network Segmentation: Separation of production, development, and administrative networks
• Secure Wi-Fi: Enterprise-grade encryption (WPA3) for wireless networks
• VPN Access: Mandatory use of VPN for remote access to internal networks
• Regular Vulnerability Scanning: Periodic scanning and patching of network infrastructure

6.3 Data Encryption

• Data in Transit: All sensitive data transmitted over networks is encrypted using industry-standard protocols (TLS 1.2 or higher, HTTPS, SFTP)
• Data at Rest: SPDI and confidential data stored on servers and databases is encrypted using strong encryption algorithms (AES-256 or equivalent)
• Encryption Key Management: Cryptographic keys are securely generated, stored, and rotated regularly
• Email Security: Email communications containing sensitive information must be encrypted

6.4 Application Security

• Secure Development Practices: Adherence to secure coding standards (OWASP guidelines)
• Input Validation: Validation and sanitization of all user inputs to prevent injection attacks
• Authentication and Authorization: Proper implementation of user authentication and access controls
• Security Testing: Regular vulnerability assessments and penetration testing
• Patch Management: Timely application of security patches and updates
• API Security: Secure API design with proper authentication, rate limiting, and input validation

6.5 Endpoint Security

• Antivirus/Anti-Malware: Installation and regular updates on all endpoints
• Device Encryption: Full disk encryption on laptops and mobile devices
• Device Management: Mobile Device Management (MDM) for company-issued devices
• USB Controls: Restrictions on use of unauthorized USB devices and external media
• Screen Lock: Mandatory screen lock after period of inactivity
• Software Restrictions: Only approved software can be installed

6.6 Database Security

• Database Encryption: Encryption of databases containing SPDI
• Access Logging: Comprehensive logging of database access and modifications
• Parameterized Queries: Use of prepared statements to prevent SQL injection
• Database Hardening: Removal of default accounts, unnecessary services
• Regular Backups: Automated backups with encryption
• Access Control: Strict database access controls based on least privilege

6.7 Cloud Security

Where cloud services are utilized:

• Vendor Selection: Use of reputable cloud service providers with strong security certifications (ISO 27001, SOC 2)
• Data Residency: Ensuring data storage complies with Indian data localization requirements where applicable
• Shared Responsibility: Clear understanding of security responsibilities between Vriyox and cloud provider
• Encryption: Data encrypted before uploading to cloud storage
• Access Management: Strict identity and access management for cloud resources
• Monitoring: Continuous monitoring of cloud environments for security events

7. Physical Security Controls

7.1 Facility Security

• Access Control: Restricted access to office premises and server rooms using access cards or biometric systems
• Visitor Management: All visitors must sign in, be escorted, and wear visitor badges
• Surveillance: CCTV cameras installed at entry/exit points and critical areas
• Secure Areas: Server rooms and data centers are physically secured with additional access controls
• Environmental Controls: Fire suppression systems, temperature and humidity monitoring for data centers

7.2 Equipment Security

• Asset Inventory: Maintaining inventory of all IT assets
• Device Disposal: Secure disposal of devices with data sanitization or physical destruction
• Lock Policies: Workstations must be locked when unattended
• Clean Desk Policy: Sensitive documents must not be left unattended on desks
• Secure Storage: Confidential documents stored in locked cabinets

8. Organizational Security Controls

8.1 Human Resource Security

Pre-Employment:

• Background verification for employees handling sensitive data
• Signing of confidentiality and acceptable use agreements
• Security awareness as part of onboarding

During Employment:

• Regular security awareness training (at least annually)
• Clear definition of security roles and responsibilities
• Performance reviews include security compliance assessment
• Disciplinary process for security policy violations

Termination/Change of Role:

• Immediate revocation of access rights
• Return of all company assets
• Exit interview covering security obligations
• Reminders about confidentiality obligations post-employment

8.2 Third-Party Management

• Due Diligence: Security assessment before engaging third parties
• Contractual Obligations: NDAs and Data Processing Agreements with security clauses
• Access Control: Limited access based on need-to-know
• Monitoring: Periodic audits of third-party compliance
• Incident Reporting: Mandatory reporting of security incidents

8.3 Security Awareness and Training

All personnel must complete:

• Security awareness training during onboarding
• Annual refresher training on information security
• Role-specific training for handling SPDI
• Phishing awareness and simulation exercises
• Training on new security policies and procedures

Training covers:

• Password security and authentication
• Social engineering and phishing recognition
• Data classification and handling
• Incident reporting procedures
• Acceptable use of IT resources
• Mobile device and remote work security

9. Data Backup and Business Continuity

9.1 Backup Policy

• Regular Backups: Automated daily backups of critical data and systems
• Backup Encryption: All backups are encrypted
• Offsite Storage: Backups stored at geographically separate locations
• Backup Testing: Regular testing of backup restoration procedures
• Retention Period: Backups retained as per data retention policy and legal requirements
• Secure Disposal: Secure deletion of backup media when no longer required

9.2 Business Continuity and Disaster Recovery

• Business Continuity Plan (BCP): Documented plan to ensure continuity of operations during disruptions
• Disaster Recovery Plan (DRP): Procedures for recovering IT systems and data after incidents
• Recovery Time Objective (RTO): Defined maximum acceptable downtime for critical systems
• Recovery Point Objective (RPO): Defined maximum acceptable data loss
• Regular Testing: Annual testing and updating of BCP and DRP
• Alternative Arrangements: Identification of alternate work locations and communication methods

10. Incident Management

10.1 Security Incident Response

Incident Identification:

• Employees must report suspected security incidents immediately to info@vriyox.com
• Incidents include: unauthorized access, data breaches, malware infections, lost devices, phishing attacks

Incident Response Process:

1. Detection and Reporting: Immediate notification to Information Security Officer
2. Assessment: Evaluation of incident severity and impact
3. Containment: Immediate actions to limit damage and prevent spread
4. Investigation: Root cause analysis and evidence collection
5. Eradication: Removal of threat and closure of vulnerabilities
6. Recovery: Restoration of normal operations
7. Post-Incident Review: Lessons learned and policy improvements

Communication:

• Affected users notified as per Privacy Policy and legal requirements
• Regulatory authorities notified if required by law
• Internal stakeholders kept informed

Documentation:

• All incidents logged with details of nature, impact, and resolution
• Incident reports maintained for compliance and improvement purposes

10.2 Data Breach Management

In the event of a data breach involving Personal Information or SPDI:

• Immediate containment and investigation
• Assessment of affected data and individuals
• Notification to affected users within reasonable timeframe
• Notification to relevant authorities as required by law
• Implementation of remedial measures
• Offering assistance to affected individuals (credit monitoring, etc., if applicable)

11. Data Retention and Disposal

11.1 Data Retention

Vriyox retains data only for as long as necessary:

Personal Information and SPDI:

• Retained for duration required to fulfill purposes of collection
• Retained as required by applicable laws (minimum retention periods)
• Customer data retained as per contractual obligations

Business Records:

• Financial records: As per Income Tax Act and Companies Act requirements
• Employee records: As per applicable labor laws
• Legal documents: As per statutory requirements

System Logs:

• Security logs retained for minimum 90 days
• Access logs for SPDI retained for 180 days minimum

11.2 Secure Disposal

When data is no longer required:

• Electronic Data: Secure deletion using data wiping tools (DoD 5220.22-M standard or equivalent)
• Physical Media: Shredding or physical destruction of hard drives and media
• Documents: Shredding of paper documents containing sensitive information
• Disposal Logs: Maintained records of data disposal activities
• Third-Party Disposal: Certificate of destruction obtained when using disposal services

12. Monitoring and Audit

12.1 Continuous Monitoring

• Security Monitoring: 24/7 monitoring of security events and alerts
• Log Management: Centralized logging of access, authentication, and security events
• Log Retention: Security logs retained for minimum 90 days
• Log Review: Regular review of logs for suspicious activities
• Anomaly Detection: Automated detection of unusual patterns or behaviors

12.2 Security Audits

• Internal Audits: Annual internal security audits to assess compliance
• External Audits: Periodic third-party security assessments and penetration testing
• Vulnerability Assessments: Quarterly vulnerability scans of systems and applications
• Compliance Audits: Regular audits for regulatory compliance
• Audit Reports: Findings documented with remediation plans and timelines

12.3 Compliance Reporting

• Regular reporting to management on security posture
• Metrics on incidents, vulnerabilities, and compliance status
• Annual review of policy effectiveness
• Tracking of remediation activities

13. Acceptable Use Policy

13.1 General Acceptable Use

IT resources provided by Vriyox must be used:

• For legitimate business purposes only
• In compliance with all applicable laws and regulations
• In accordance with this Policy and other organizational policies
• Respecting intellectual property rights

13.2 Prohibited Activities

The following activities are strictly prohibited:

• Unauthorized access to systems or data
• Sharing of login credentials
• Installation of unauthorized software
• Use of company resources for personal commercial activities
• Accessing, storing, or distributing illegal or offensive content
• Deliberately introducing malware or viruses
• Circumventing security controls
• Using company resources for cryptocurrency mining
• Excessive personal use that impacts productivity
• Harassment, discrimination, or offensive communication

13.3 Personal Use

Limited personal use of IT resources is permitted provided:

• It does not interfere with work responsibilities
• It does not violate any policies or laws
• It does not compromise security
• It does not consume excessive bandwidth or resources

13.4 Email and Communication

• Company email should primarily be used for business purposes
• Users must not send confidential information via unencrypted email
• Users must be cautious of phishing and social engineering attempts
• Offensive or inappropriate content is prohibited
• Email retention policy must be followed

13.5 Internet Usage

• Internet access is provided for business purposes
• Access to inappropriate websites is blocked and monitored
• Downloading unauthorized software or files is prohibited
• Users must exercise caution when clicking links or downloading content

13.6 Mobile Devices and Remote Work

• Company-issued mobile devices must have security controls enabled
• Personal devices used for work must meet minimum security requirements
• Remote access must be via secure VPN connection
• Sensitive data must not be stored on personal devices without encryption
• Lost or stolen devices must be reported immediately

14. Privacy and Confidentiality

14.1 Privacy Commitment

Vriyox is committed to protecting the privacy of:

• Customers and website visitors
• Employees and job applicants
• Business partners and vendors

14.2 Data Protection Principles

All processing of Personal Information and SPDI follows these principles:

• Lawfulness and Fairness: Data collected and processed lawfully with informed consent
• Purpose Limitation: Data used only for specified, explicit, and legitimate purposes
• Data Minimization: Only necessary data is collected
• Accuracy: Reasonable steps taken to ensure data accuracy
• Storage Limitation: Data retained only as long as necessary
• Security: Appropriate technical and organizational measures implemented
• Accountability: Vriyox is responsible and can demonstrate compliance

14.3 Confidentiality Obligations

All personnel with access to confidential information must:

• Maintain strict confidentiality
• Not disclose information to unauthorized parties
• Use information only for authorized purposes
• Sign confidentiality agreements
• Continue confidentiality obligations after employment termination

15. Vendor and Third-Party Security

15.1 Vendor Selection

When selecting vendors who will access Vriyox data:

• Security assessment and due diligence conducted
• Verification of security certifications (ISO 27001, SOC 2, etc.)
• Review of vendor’s security policies and practices
• Assessment of data handling and protection capabilities

15.2 Contractual Requirements

All vendors must:

• Sign Non-Disclosure Agreements (NDAs)
• Enter into Data Processing Agreements specifying security obligations
• Comply with Vriyox’s security requirements
• Allow security audits by Vriyox or its representatives
• Report security incidents within specified timeframes
• Return or securely destroy data upon contract termination

15.3 Ongoing Monitoring

• Regular reviews of vendor security compliance
• Periodic security assessments and audits
• Monitoring of vendor-related security incidents
• Annual renewal of security attestations

16. Compliance and Enforcement

16.1 Policy Violations

Violations of this Policy may result in:

• Verbal or written warnings
• Suspension of access privileges
• Disciplinary action up to and including termination of employment
• Legal action in cases of serious violations
• Reporting to law enforcement authorities where criminal activity is suspected

16.2 Reporting Violations

Employees who become aware of policy violations must report to:

• Immediate supervisor or manager
• Information Security Officer: info@vriyox.com
• Anonymous reporting mechanism (if available)

Vriyox prohibits retaliation against individuals who report security concerns in good faith.

16.3 Compliance Monitoring

• Regular compliance audits and assessments
• Review of access logs and system activities
• Employee attestations of policy compliance
• Investigation of reported violations
• Tracking of remediation activities

17. Policy Review and Updates

17.1 Review Frequency

This Policy shall be reviewed:

• Annually, or more frequently if required
• When significant changes occur in business operations, technology, or regulations
• After major security incidents
• When new threats or vulnerabilities are identified

17.2 Update Process

Policy updates will:

• Be approved by management
• Be communicated to all employees and relevant parties
• Include effective date of changes
• Require re-acknowledgment by employees

17.3 Version Control

• All versions of this Policy shall be maintained
• Changes shall be documented with version numbers and dates
• Previous versions archived for reference

18. Contact Information

For questions, concerns, or reporting security incidents related to this Policy:

Vriyox
Information Security Officer / Grievance Officer
Email: info@vriyox.com
Website: https://vriyox.com
Response Time: Within 48 hours for security incidents; within one month for other queries

19. Acknowledgment and Acceptance

All employees, contractors, and authorized personnel must:

• Read and understand this Information Security Policy
• Acknowledge acceptance of the Policy
• Comply with all provisions of this Policy
• Attend required security training
• Report any questions or concerns to the Information Security Officer

By accessing Vriyox’s information systems and resources, you acknowledge that you have read, understood, and agree to comply with this Information Security Policy.

20. Annexures

Annexure A: Password Policy Guidelines

Minimum Requirements:

• Minimum length: 8 characters
• Must contain: uppercase letters, lowercase letters, numbers, and special characters
• Cannot contain: username, common words, or sequential patterns
• Password history: Last 5 passwords cannot be reused
• Password expiry: Every 90 days for privileged accounts
• Account lockout: After 5 failed login attempts

Best Practices:

• Use passphrases for better memorability and security
• Never share passwords
• Use password managers for complex passwords
• Different passwords for different systems
• Never write passwords down or store in plain text

Annexure B: Incident Severity Classification

Critical (P1):

• Data breach involving SPDI
• Ransomware or widespread malware infection
• Complete system outage
• Unauthorized access to production systems
• Response Time: Immediate (within 1 hour)

High (P2):

• Unauthorized access attempt
• Malware on multiple systems
• Significant service degradation
• Loss of confidential data
• Response Time: Within 4 hours

Medium (P3):

• Policy violations
• Malware on single system
• Minor service disruption
• Suspicious activity detected
• Response Time: Within 24 hours

Low (P4):

• General security concerns
• Minor policy violations
• User education opportunities
• Response Time: Within 72 hours

Annexure C: Data Classification Matrix