Security and Data Protection Policy of Setindiabiz.com (website) and Setindiabiz Private Limited (Company)

This document outlines the Security Policy for Setindiabiz.com and details the measures for data protection when you utilise the Services Offered by Setindiabiz Private Limited. Setindiabiz Private Limited is committed to protecting the security and confidentiality of your personal and business data. This Security Policy outlines our comprehensive approach to data security, the measures we implement to safeguard your information, and how we respond to security incidents in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian laws.

1. GOVERNANCE & ACCOUNTABILITY

  • Our security governance framework establishes clear accountability and oversight for data protection throughout our organisation. We have designated a Data Protection Officer who oversees our security program and ensures compliance with applicable laws and regulations. Our security policies and procedures are documented, regularly reviewed, and updated to address evolving threats and regulatory requirements. The management team receives regular reports on security metrics, incidents, and improvement initiatives.
  • We conduct comprehensive vendor due diligence before engaging any third-party service providers who may access or process personal data. All vendors and independent professionals are required to enter into Data Processing Agreements that include strict security obligations, confidentiality requirements, and audit rights. We maintain an inventory of all third-party processors and regularly review their security practices to ensure compliance with relevant regulations.

2. TECHNICAL & ORGANISATIONAL MEASURES

  • Our security architecture employs multiple layers of protection to safeguard your data throughout its lifecycle. Access controls form the foundation of our security framework, implementing role-based access control (RBAC) to ensure users only access data necessary for their specific functions. We enforce multi-factor authentication (MFA) for all administrative access and sensitive operations, with regular quarterly access reviews to remove unnecessary permissions and identify potential security risks.
  • Encryption protects your data both in transit and at rest. All data transmissions between your browser and our servers utilise Transport Layer Security (TLS) 1.2 or higher with strong cypher suites. Sensitive data stored in our databases and file systems is encrypted using industry-standard AES-256 encryption. Encryption keys are managed through a secure key management system that ensures the appropriate separation of duties and adheres to regular key rotation protocols.
  • Sensitive data stored in our databases (including those hosted on AWS) is encrypted using industry-standard AES-256 encryption. Files stored on our cloud file systems (Google Drive, Zoho Drive, Microsoft OneDrive) and AWS infrastructure are protected by the provider's at-rest encryption (which utilises AES-256 or equivalent standards), or are client-side encrypted where appropriate. Data managed by third-party filing software (such as KDK or SAG Infotech) is governed by the respective vendor's security and data protection policies.
  • Our network security infrastructure includes enterprise-grade firewalls with restrictive rule sets, intrusion detection and prevention systems monitoring for malicious activities, and network segmentation to isolate critical systems. We maintain centralised logging of all security events with log retention policies aligned to regulatory requirements. Security patches and updates are applied promptly following a risk-based prioritisation approach, with critical patches deployed within 48 hours of release.
  • Physical security measures protect our infrastructure from unauthorised physical access. Our servers are hosted in secure data centres featuring 24/7 security monitoring, controlled access, CCTV surveillance, and environmental controls, including fire suppression and climate management. Access to these facilities is restricted to authorised personnel only, with all visits logged and monitored.

3. DATA MINIMISATION & RETENTION

  • We practice data minimisation by collecting only the information necessary to provide our services and meet legal obligations. Data collection forms are designed to capture only essential information, with optional fields clearly marked. Our systems are configured to purge unnecessary data according to defined retention schedules automatically.
  • Retention periods are determined based on legal requirements and business needs. Financial records are retained for 8 years as mandated by the Companies Act, 2013, while tax-related documents are kept for 7 years from the end of the relevant assessment year. Once data reaches the end of its retention period, it is either permanently deleted using secure deletion methods or irreversibly anonymised for statistical analysis where permitted.

4. INCIDENT RESPONSE

  • Our incident response plan ensures rapid and effective handling of security incidents. The plan defines clear roles and responsibilities for the incident response team. We maintain 24/7 monitoring capabilities to detect potential security incidents through automated alerts and regular security reviews.
  • Upon detecting a potential incident, our response follows a structured approach, beginning with immediate containment to prevent further damage or data exposure. We conduct a thorough investigation to determine the scope, impact, and root cause of the issue. Recovery procedures restore normal operations while ensuring the threat has been eliminated. Post-incident review identifies lessons learned and improvements to prevent similar incidents.
  • For personal data breaches, we comply with the DPDP Act's notification requirements. Affected individuals are notified promptly with clear information about the nature of the breach, potential impacts, and recommended protective actions. The Data Protection Board of India receives notification within prescribed timelines, including details of the breach, affected data categories, and remediation measures taken.

5. EMPLOYEE SECURITY

  • All employees undergo security awareness training during onboarding and receive annual refresher training thereafter. Training covers data protection principles, recognising and reporting security threats, secure handling of sensitive information, password security best practices, and incident reporting procedures. Employees handling personal data receive additional role-specific training on their security responsibilities.
  • Confidentiality agreements and non-disclosure agreements are mandatory for all employees, contractors, and third parties who may access confidential information. Background verification is conducted for all employees before hiring, with enhanced screening for positions that involve access to sensitive data. We maintain a clear desk and clear screen policy to prevent unauthorised viewing of confidential information.

6. BUSINESS CONTINUITY & DISASTER RECOVERY

  • We maintain comprehensive business continuity and disaster recovery plans to ensure service availability and data protection in the event of adverse events. Critical systems and data are regularly backed up, with encrypted backups stored in geographically separate locations. Recovery objectives are defined for each critical system based on business impact analysis.
  • Our disaster recovery plan includes detailed procedures for various scenarios, including data centre outages, cyberattacks, natural disasters, and pandemic situations. We conduct annual disaster recovery drills to validate our methods. Backup restoration tests are performed quarterly to ensure data can be successfully recovered when needed.

7. THIRD-PARTY SECURITY

  • All third-party service providers undergo a security assessment before engagement. We evaluate their security certifications, data protection practices, incident response capabilities, and regulatory compliance. Contractual agreements typically include specific security requirements, audit rights, breach notification obligations, and liability provisions in the event of security failures.
  • We maintain an inventory of all third-party processors, including details of the data shared, the purpose of processing, and the security measures implemented to protect that data. Annual security reviews assess continued compliance with our requirements, and any identified deficiencies must be remediated within agreed timelines.

8. COMPLIANCE & AUDITS

  • We regularly assess our compliance with applicable laws and regulations, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and industry-specific regulations. Internal audits are conducted quarterly to verify adherence to security policies and identify opportunities for improvement.
  • Audit findings are tracked through a formal remediation process with assigned owners and target completion dates. Critical findings receive immediate attention with temporary compensating controls implemented if permanent fixes require extended timelines.

9. YOUR SECURITY RESPONSIBILITIES

  • While we implement comprehensive security measures, protecting your data is a shared responsibility. We request that you maintain strong, unique passwords for your accounts and never share them with others. Enable multi-factor authentication wherever available for enhanced account security. Keep your devices and software up to date with the latest security patches to ensure optimal protection.
  • Exercise caution with email communications, particularly those requesting sensitive information or containing unexpected attachments or links. Verify the authenticity of any unusual requests, even if they appear to come from Setindiabiz. Report any suspicious activities or potential security incidents immediately to help@setindiabiz.com.
  • When accessing our services from public or shared computers, ensure you log out completely and clear your browser cache. Avoid accessing sensitive information over unsecured public Wi-Fi networks without using a VPN. Review your account activity regularly and notify us promptly of any unauthorised transactions or changes.

10. SECURITY INCIDENT REPORTING:

  • If you suspect a security incident or identify a vulnerability in our systems, please report it immediately to help@setindiabiz.com. Include date and time of the incident, description of what occurred, any error messages received, and steps to reproduce the issue if applicable. We acknowledge all security reports within 24 hours and provide regular updates on our investigation and remediation efforts.

11. UPDATES TO THIS POLICY:

  • This Security Policy may be updated periodically to reflect changes in our security practices, technological advances, or regulatory requirements. Material changes will be communicated through our website, accompanied by an updated "Last Updated" date. We encourage you to review this policy regularly to stay informed about how we protect your information.

12. CONTACT US

  • For questions about our security practices or to report security concerns, please contact our Security Team at help@setindiabiz.com. You may also write to us at Setindiabiz Private Limited, A-34, Sector-2, Noida 201301.

Author Bio

setindiabiz

Editorial Team | in

Setindiabiz Editorial Team is a multidisciplinary collective of Chartered Accountants, Company Secretaries, and Advocates offering authoritative insights on India’s regulatory and business landscape. With decades of experience in compliance, taxation, and advisory, they empower entrepreneurs and enterprises to make informed decisions.

Security Policy | Setindiabiz — How We Protect Your Data