Information Security Policy

1. Objective

The objective of this Information Security Policy is to safeguard A2Z Suvidhaa’s information systems, customer data, and operational integrity, ensuring compliance with regulatory requirements (including RBI, UIDAI, and the Information Technology Act 2000), protecting sensitive data such as Aadhaar, and demonstrating a commitment to best practices in information security.

2. Scope

This policy applies to all employees, BC agents, third-party vendors, and systems handling A2Z Suvidhaa data, including customer information (e.g., Aadhaar, PAN), transaction records, and internal operational data.

3. Policy Guidelines

3.1 Access Control

• Access to systems and data will be role-based, with credentials (e.g., usernames, passwords) assigned based on job responsibilities.
• Passwords must be changed every 90 days and meet complexity requirements (minimum 8 characters, including uppercase letters, lowercase letters, numbers, and symbols).
• Multi-factor authentication (MFA) must be used for all system access.
• BC agents must use secure logins (e.g., biometric, OTP) to access the A2Z Suvidhaa app
• Unauthorized access attempts will be logged and reviewed by the IT team within 24 hours.

3.2 Aadhaar Data Protection (UIDAI & RBI Compliance)

• Mask Aadhaar numbers (e.g., display only the last 4 digits: XXXX-XXXX-1234) in all records, displays, and communications, as per UIDAI guidelines.
• Store Aadhaar numbers in encrypted format (e.g., AES-256 encryption) with access restricted to authorized personnel.
• Aadhaar numbers must not be stored in any form outside India, in compliance with UIDAI norms.
• Transmit Aadhaar data only via secure channels (e.g., HTTPS, SSL/TLS) with end-to-end encryption.
• Use Aadhaar only for KYC verification (e.g., via Aadhaar OTP) and not for unauthorized purposes.

3.3 Data Transmission

• Transmit all data (e.g., via A2Z Suvidhaa systems and applications) using secure protocols (e.g., HTTPS, SSL/TLS) with end-to-end encryption.
• Prohibit sharing customer data with third parties unless required by law or authorized by A2Z Suvidhaa’s partners, regulators, or contractual agreements.

3.4 Incident Response

• Security incidents (e.g., data breaches, unauthorized access) must be reported to the IT team (support@a2zsuvidhaa.com) within 2 hours.
• The IT team will investigate, mitigate, and document all incidents, with a resolution plan communicated to affected parties within 48 hours.
• Notify Airtel, RBI, and UIDAI (if Aadhaar-related) within 24 hours of a breach, as per regulatory requirements.
• Inform affected customers within 48 hours, offering mitigation steps (e.g., password reset).
• A post-incident review will be conducted to prevent recurrence, with findings reported to the Compliance Team.

3.5 Third-Party Security

• All third-party vendors (e.g., payment gateways, logistics partners) must sign security agreements aligning with A2Z Suvidhaa’s Privacy Policy and UIDAI norms.
• Vendors must ensure Aadhaar data is not stored outside India and is transmitted securely.
• Vendors will be audited annually to ensure compliance with security standards.

4. Monitoring and Compliance

• The IT team will conduct quarterly security audits to ensure adherence to this policy, including Aadhaar data protection measures.
• BC agents must report suspected breaches (e.g., unauthorized access) immediately to the IT team.
• Non-compliance (e.g., sharing credentials, failing to report incidents) will result in disciplinary action, up to termination.
• Compliance with RBI guidelines (e.g., DBOD.No.BL.BC.43/2010-11), UIDAI norms, and the Information Technology Act 2000 will be ensured.

5. Records

• Audit logs, incident reports, and risk assessments will be retained for 5 years, in line with the Privacy Policy’s data retention period.
• All records, including those containing Aadhaar data, must be stored in encrypted format on servers located in India.

6. Communication

• This policy will be communicated to all employees, BC agents, and vendors via the public website Compliance Page
• Training on information security practices, including Aadhaar compliance, will be provided during onboarding and annually thereafter.
• Agents must sign an acknowledgment form confirming understanding of this policy.

7. Contact Information

For security concerns or to report incidents:

• Primary Email: support@a2zsuvidhaa.com
• Phone: 9251133333 (9 AM–9 PM, Everyday)
• Escalation: info@a2zsuvidhaa.com | 0291-2727270