Data Protection & Info Security PolicyFeather Icon

We are committed to ensuring the confidentiality, integrity, and availability of customer, merchant, partner, and company information. This Data Protection & Information Security Policy outlines our security practices, compliance standards, and operational guidelines for protecting sensitive information.

Our practices are designed to ensure compliance, trust, and security for all stakeholders in accordance with relevant laws, regulations, and industry standards.

1. Purpose of the Policy

The purpose of this policy is to:

  • Protect customer and business information
  • Ensure compliance with data protection regulations
  • Prevent unauthorized access and data breaches
  • Maintain operational security and business continuity
  • Promote data security awareness and practices
  • Define roles and responsibilities for data protection

2. Information Security Commitment

We implement reasonable administrative, technical, and physical measures to secure data processed through our platform.

Our security commitment includes:

  • Data encryption in transit and at rest
  • Regular security assessments
  • Vulnerability management
  • Secure development lifecycle
  • Incident response planning
  • Employee training on security awareness

3. Encryption Standards

We use industry-standard encryption methods to protect sensitive information during storage and transmission.

Security measures may include:

  • AES-256 encryption for data at rest
  • SSL/TLS protocols for secure data transmission
  • Secure key management practices
  • Encryption of confidential business information
  • Secure transmission protocols for partner integrations

We regularly review and update encryption practices to align with industry standards.

4. Access Management

Access to systems, platforms, databases, and customer information is restricted to authorized personnel only.

Access management practices include:

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Restricting access to sensitive data
  • Monitoring user access logs
  • Regular review of access privileges
  • Terminating access immediately upon termination of employment

Employees and authorized personnel must follow security guidelines when accessing company systems.

5. Internal Access Controls

We maintain access controls to ensure that only authorized personnel can access sensitive systems and data.

Controls include:

  • Department-wise access restrictions
  • Limited administrative privileges
  • Activity monitoring and logging
  • Confidentiality agreements for employees and contractors
  • Segregation of duties for critical operations
  • Controlled access to system logs and database backups

Unauthorized access attempts are monitored and may lead to disciplinary and legal action.

6. Data Retention

Personal and transaction data is retained only for as long as necessary to:

  • Deliver services
  • Fulfill legal and regulatory obligations
  • Resolve disputes
  • Secure business records
  • Prevent fraud and abuse

Once the retention period expires, data may be securely deleted, archived, anonymized, or destroyed in accordance with applicable laws and company standards.

7. Vendor Security

We work with third-party vendors, service providers, and partners who implement security measures to support our operations.

Vendors must meet our security standards, including:

  • Adequate security certifications
  • Data confidentiality compliance
  • Compliance with local data protection laws
  • Secure integration practices
  • Incident reporting and communication protocols

We review vendor security practices periodically to ensure alignment with security standards.

8. Secure API Handling

We implement security controls for APIs, integrations, and digital communication used in our platform and services.

API security practices include:

  • Secure authentication and authorization
  • Data encryption in transit
  • Rate limiting and request filtering
  • Regular security testing
  • Vulnerability patching
  • Monitoring API traffic

Unauthorized API usage, abuse, or malicious activity may lead to immediate access restriction or legal action.

9. Incident Reporting & Security Response

We maintain incident response procedures to identify, investigate, manage, and report potential security incidents.

Security response plans include:

  • Detection and analysis of security threats
  • Immediate containment measures
  • Investigation of affected systems
  • Reporting and notification procedures
  • Post-incident analysis and improvements
  • Coordination with regulatory authorities when required

We continuously improve our security response processes to minimize risks and operational disruptions.

10. Employee Compliance & Responsibility

Employees, contractors, and authorized personnel are expected to follow company security policies and confidentiality obligations.

Security compliance requirements include:

  • Adhering to security guidelines
  • Reporting suspicious activities
  • Maintaining strong credentials
  • Secure data handling practices
  • Cooperating with security audits

Failure to comply with company security standards may result in disciplinary action, termination of access, and legal consequences.

11. Compliance & Legal Requirements

We strive to comply with applicable data protection, cybersecurity, and technology requirement standards set by regulatory authorities.

The company may cooperate with law enforcement agencies, regulators, and authorized bodies where legally required.

12. Policy Updates

We reserve the right to update, modify, or change this Data Protection & Information Security Policy at any time. Latest versions will be published on our website with the updated effective date.

GateXpay Technologies Private Limited

412, Sumer Nagar, Mansarovar, Jaipur, Rajasthan – 302020

Email: info@gatexpay.in