Data Storage and Handling Policy

1. Introduction

This document outlines the Data Storage and Handling Policy for Igile Technologies India Pvt Ltd, a software services company. The purpose of this policy is to establish the standards and guidelines for storing, handling, backing up, archiving, and purging customer data. It also includes guidelines for physical and environmental security to ensure data integrity, confidentiality, and availability. This policy applies to all employees, contractors, and third-party vendors involved in handling customer data.

2. Scope

This policy applies to all types of data storage, including but not limited to:

• On-premises servers
• Cloud-based storage solutions
• Local employee devices (desktops, laptops, and mobile devices)
• Backup and archival media
• Any third-party services storing customer data on behalf of Igile Technologies

3. Objectives

The objectives of this policy are:

• To protect customer data from unauthorized access, alteration, or deletion.
• To ensure data is stored securely and can be recovered in the event of a disaster or data loss.
• To comply with all applicable legal and regulatory requirements regarding data storage and handling.
• To ensure proper handling, backup, archival, and purging of data to maintain data integrity and availability.

4. Data Classification

All data at Igile Technologies will be classified according to its sensitivity and value. Data will be categorized as:

• Confidential: Sensitive customer data that requires the highest level of protection, such as personally identifiable information (PII), financial data, and health information.
• Internal Use Only: Data that is intended for use within Igile Technologies and should not be disclosed externally without proper authorization.
• Public: Data that can be freely disclosed to the public without any risk to Igile Technologies or its customers.

5. Data Storage Guidelines

• Confidential Data: Must be stored in encrypted form using industry-standard encryption algorithms (e.g., AES-256) both at rest and in transit.
• Access Control: Access to confidential and internal data should be restricted based on the principle of least privilege. Only authorized personnel with a legitimate business need should have access to the data.
• Data Masking: Where feasible, data masking should be applied to protect sensitive information, especially in non-production environments.
• Secure Storage Locations: All data storage locations, whether physical or digital, must be secured against unauthorized access and environmental threats. This includes locked server rooms, encrypted cloud storage, and secure file shares.
• Cloud Storage: For data stored in the cloud, ensure that the cloud provider complies with industry-standard security practices and certifications, such as ISO 27001, SOC 2, and GDPR.

6. Data Backup, Storage, Archival, and Purging Policy

• Data Backup:
  • All critical data must be backed up regularly. The frequency of backups will depend on the criticality and volatility of the data.
  • Backups must be stored securely, with the same level of encryption and access controls as the original data.
  • Backups should be regularly tested to ensure data integrity and the ability to recover in case of a disaster.
• Data Archival:
  • Data that is no longer actively used but must be retained for regulatory, legal, or business purposes should be archived.
  • Archived data should be stored securely, with appropriate access controls to prevent unauthorized access.
• Data Purging:
  • Data that is no longer required for business or compliance purposes should be purged securely, ensuring that it is irretrievable.
  • The purging process should be documented and performed according to a defined schedule and methodology, following applicable legal and regulatory requirements.

7. Physical and Environmental Security Policy

• Physical Access Control:
  • All physical locations where customer data is stored must have robust access controls, including keycard entry systems, surveillance cameras, and visitor logging.
  • Only authorized personnel should have access to areas where sensitive data is stored.
• Environmental Controls:
  • Data centers and server rooms must be equipped with appropriate environmental controls, including temperature and humidity controls, fire suppression systems, and power backup systems.
  • Regular audits should be conducted to ensure that environmental controls are functioning correctly and meet the required standards.

8. Data Handling Procedures

• Data Collection: All customer data collection must be performed in accordance with applicable legal and regulatory requirements. Only the minimum necessary data should be collected to achieve the intended purpose.
• Data Transmission: All data transmissions, whether internal or external, must use secure transmission methods such as TLS/SSL or VPNs.
• Data Access: Access to customer data must be logged and monitored to detect and respond to unauthorized access attempts.
• Data Retention: Data must be retained only for as long as necessary to fulfill its intended purpose or as required by applicable laws and regulations.

9. Compliance and Monitoring

• Regular Audits: Regular audits and assessments should be conducted to ensure compliance with this policy. Any non-compliance should be addressed promptly with corrective actions.
• Monitoring and Reporting: All data storage and handling activities must be continuously monitored to detect any security incidents or policy violations. Any incidents must be reported to the IT Security Team immediately.

10. Roles and Responsibilities

• Chief Information Security Officer (CISO): Responsible for overall data storage and handling policy development, implementation, and enforcement.
• IT Security Team: Responsible for managing and securing data storage systems, conducting regular audits, and monitoring compliance.
• Department Managers: Ensure that their teams comply with the data storage and handling policy and report any non-compliance or incidents to the IT Security Team.
• Employees: All employees are responsible for adhering to this policy and protecting customer data from unauthorized access and disclosure.

11. Policy Review and Updates

This policy will be reviewed annually or whenever there are significant changes in technology, business processes, or regulatory requirements. Any changes to the policy will be communicated to all employees, contractors, and third-party vendors.

12. Violations and Disciplinary Actions

Non-compliance with this policy may result in disciplinary action, up to and including termination of employment. Igile Technologies reserves the right to take legal action against individuals who violate this policy.

13. References

• ISO/IEC 27001: Information Security Management
• GDPR: General Data Protection Regulation
• SOC 2: Service Organization Control 2

14. Acknowledgement

All employees, contractors, and third-party vendors must acknowledge that they have read, understood, and agreed to comply with this policy.