Security Policy

The information security function is responsible for maintaining practices, changes, and commitments concerning confidentiality, integrity, availability, and privacy.

The roles and responsibilities of the members of the information security organization are defined.

The data protection officer oversees data protection strategy and ensures compliance with data protection standards.

Information security and privacy policies are approved by management and cover processes and control activities required to address data protection risks.

Information security and privacy policies are available on the company portal for employee reference and are reviewed annually.

Employees and contractors are required to undergo information security and privacy training upon hire and a refresher on an annual basis.

Applicable security and privacy requirements are identified through relevant legal, regulatory, and supervisory authorities, specialist security forums, and professional associations.

Risks relevant to fraud, internal control, applicable laws, and customer commitment are identified through annual independent internal reviews and external risk assessments.

Risks are reviewed, classified, and tracked to closure by implementing controls consistent with the determined risk mitigation strategy and communicated to relevant stakeholders.

Third-party risk and contract reviews are performed during onboarding and renewal to ensure compliance with applicable data protection requirements.

Data processing agreements are signed with the third parties with whom personal information is shared and include clauses for compliance with data protection laws, confidentiality and right-to-audit clauses, data retention, and access requirements.

During induction, candidate background check is performed that includes verification of educational qualifications, prior employment records, address, and identity.

Upon joining, employees and contractors sign an employment agreement containing obligations related to confidentiality and non-disclosure of proprietary information.

Office visitors record an entry in the visitor management system and are escorted by authorized employees.

A Closed Circuit Television Camera (CCTV) records physical entry points to office premises.

Access card-based physical access control system is installed at entry points to office premises.

Cloud infrastructure facilities have smoke detectors, fire extinguishers, and suppression systems.

Cloud infrastructure facilities have temperature and humidity control and monitoring systems along with water detection and removal systems.

Cloud infrastructure facilities are power redundant and have a backup power supply.

Application owners grant or revoke access rights to individuals after evaluating job roles, responsibilities, level of access, business requirement, and access duration.

Limited individuals and teams are granted minimum required access to sensitive resources, customers, and personal information in the production environment through group-based identity and access management permissions.

Single sign-on and multi-factor authentication are mandated wherever possible.

Password policy is set wherever possible to mandate alphanumeric passwords with at least eight characters with one special, one lower case, and one upper case character.

Users are forced to change their password at first login and are required to change the password every 90 days, wherever possible.

Accesses are reviewed upon role change and updated as per new job responsibilities.

Application owners perform quarterly access reviews and take necessary corrective actions.

All accesses are revoked on the last working day of employees and contractors.

Endpoint protection software is installed on laptops and desktops for safeguarding against viruses, malware, ransomware, web threats, blocked websites, malicious traffic, and potentially unwanted applications.

Malicious activities and critical events identified in the endpoint protection are notified through configured alerts, and corrective actions are taken as part of monthly reviews.

An asset inventory is updated after an asset is allocated, replaced, returned or decomissioned and reviewed quarterly.

Data wipe is performed for allocated assets on the last working day of employees and contractors.

Installation of unauthorized and malicious software is restricted on laptops and desktops.

Laptops are managed through the mobile device management solution for performing data wipes and pushing operating system policies.

Laptops are configured with an operating systems session timeout of 15 minutes.

Product releases follow an agile software development lifecycle and go through design, development, and QA testing approvals before deploying to production.

Security by design is integrated into the product development lifecycle and release checklist.

Privacy by design is integrated into the product development lifecycle and release checklist.

Separate teams manage development, testing, and deployment activities to maintain the segregation of duties.

Product changes are pushed to the staging environment for obtaining relevant sign-offs and undergo quality assurance testing before deploying to the production environment.

Development, staging, and production environments are maintained separately using a logically isolated virtual private cloud.

Customer data is not used for testing in the development and staging environments.

Customer data is never be used to train or improve AI models and will not contribute to their knowledge base.

Data shared by Mindtickle with AI models is stored temporarily only for the duration of processing the request and deleted once the request is completed. Data is not permanently stored with the LLM models.

Automated abuse detection and content filtering mechanisms ensure that AI models independently identify and block inappropriate or harmful content without human review or access to user inputs or model outputs.

All the interactions with AI models are private, encrypted, and logically segregated between requests, ensuring strict customer data separation.

End users are provided a mechanism to give feedback on the AI-generated content.

Responsible AI principles document guidelines related to bias, discrimination, toxicity, harmful content, hallucinations, transparency, and accountability.

AI system security checks and responsible AI principles are integrated into the product development lifecycle.

AI terms signed with customers cover data ownership, usage, retention, accuracy, and responsibility while leveraging AI system.

Customer data stored in cloud infrastructure is encrypted at rest with AES-256 using AWS Server-Side Encryption (SSE).

Data communication with servers is encrypted through HTTPS over TLS 1.2 or SFTP over SSH2 with 2048-bit RSA encryption.

Access to cloud infrastructure is secured using TLS encryption and multi-factor authentication over a virtual private network.

Encryption keys used for certificate generation are rotated annually, and previous key pairs are deleted when no longer needed.

Laptops are encrypted using BitLocker on Windows devices and FileVault on macOS devices.

Emails are signed using DKIM and authenticated using SPF and DMARC to prevent email address spoofing.

A web application firewall is configured in the production environment to prevent attacks and breaches through data ex-filtration.

Firewalls are configured at a load balancer level to restrict access and communication with external systems.

Virtual private cloud and load balancers enforce the boundaries of computing clusters in the production environment.

Baseline configuration for cloud infrastructure is maintained through the CIS benchmark.

Emails are configured with protection against zero-day threats, ransomware, malware, phishing, and spam.

A vulnerability management service is deployed to continuously find vulnerabilities in operating systems and programming language packages.

Static application security testing is performed during code deployment to find out vulnerabilities in the programming code.

Software composition analysis tool is run during code deployment to find vulnerabilities in the third-party and open-source software packages.

External penetration testing is performed annually for the platform, which includes web and mobile apps, network endpoints, and APIs.

Application and infrastructure events are logged, and services are monitored for error rate, availability, performance, response time, anomalies, and usage.

Audit trail records timestamp, IP address, application name, specific action taken, and request metadata.

Application data stored in the cloud infrastructure is backed up hourly or replicated in real-time across availability zones.

Application processing infrastructure is replicated across availability zones.

Business continuity plans are maintained to achieve a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour.

Disaster recovery testing is performed annually to review business continuity and emergency response plan.

Data processing agreements with third parties have clauses to report suspected or actual breaches.

Incidents affecting security and privacy are reported to the information security team.

Reported security incidents and privacy breaches are analyzed to identify the impact, and corrective and preventive steps are taken to fix the root cause.

An incident review meeting is conducted to discuss the root cause and formalize corrective, preventive, and detective actions.

Security incidents and privacy breaches are communicated to relevant stakeholders, data subjects, customers, and business partners.

Liability insurance is maintained for security breaches and data protection loss.

Personal information provided by customers is processed by using a performance of a contract as a legal basis.

A data processing agreement covering the purpose is offered to customers before collecting personal information.

Customers are informed of the type of personal information collected and the methods of collection through the privacy policy and data processing agreements.

Customers are provided with an option to select personal information fields to be collected from their users.

Customer data is retained throughout the contract and kept inactive for 180 days after the contract termination date or as per the agreed time duration.

Customer data is wiped using irreversible data deletion techniques provided by the data storage services.

The privacy policy provides information about contacting the privacy team or third-party dispute resolution provider with inquiries, complaints, and disputes.

Personal information is accessed by limited individuals or provided to third parties for the specific purposes mentioned in the consent, privacy policy, and data processing agreements.

Personal information is retained only for the duration necessary to fulfill the purposes covered in the legal basis of processing.

Minimum personal information is collected as required for the purposes listed in the privacy policy.