Our Commitment to Data Privacy & Security
We understand that our customers trust us with their information, thereby Information Security & Data Privacy has always been fundamental to our business. We are committed to safeguard the personal and other confidential data pertaining to our business, clients and third parties and aim to protect it from any potential internal or external security threats or cyber-attacks.
Our various technology products and tech-based client services are supported by a well-defined and effective Information security and Data privacy management System framework to enable defense in depth. The framework encompasses policies, sub-policies, procedures, and organization wide controls targeted to ensure data is collected, processed, and shared lawfully while preserving privacy, confidentiality, integrity, and availability.
We are an ISO/IEC 27001:2013 certified organization. Having this certification to ISO/IEC 27001:2013 standards, we demonstrate:
Our Data Privacy Framework is aligned to applicable compliances such as IT Act 2000 and EU- GDPR (as a processor) and addresses requirement of most of the privacy laws across the globe.
It is led by our Chief Information Security & Data Privacy officer in cooperation with representatives from various functions at ARS including IT and Legal. Our privacy framework is well-integrated with our ISMS and some key privacy controls have been defined below along with Data Security controls.
Whether you are an employee, a client, engaged with our client or us for any business purpose, we
Our mission is to protect the confidential data (personal/non-personal) and information assets from unauthorized access, use, disclosure, modification, or destruction.
These security measures are also designed to facilitate compliance with data protection requirements, privacy by design and by default and applicable regulatory and contractual requirement.
Data and information assets are classified as per their sensitivity.
Risk assessment is done, mitigation strategy and treatment are planned, and implemented accordingly.
Systems & Network Security controls are applied such as System Hardening, Patch Management, VPN Connectivity, Firewall, Intrusion Detection and Prevention System, Patch Management, End Point Protection, Anti-virus, Data Leak Prevention, VAPT of systems, servers, applications, networking devices and applications and Log Management.
Communication Security controls such as Encryption (Data at rest and transit, SSL/TLS, SSH, Message digest)
Application security practices including secure SDLC process, security scanning and IP based restriction. Other data security and access management practices are as per controls described in this section.
Access Management controls such as access role-based access, password protection, multi-factor authentication and principle of least privileges. Masking of personal data wherever not needed. Periodic and need basis access review and reconciliation.
Log Management-Logs are stored at secure place. All accesses to the applications are logged in a secure platform and/or application specific database down to the activity level.
Human Resource Security
Personnel Security practices include controls such as background check of employees/staff, signing of Non-disclosure and Privacy agreement, Code of conduct, Acceptable Use Policy and going through a formal Induction program for briefing on important policies and processes. Roles, responsibilities, and authorities are defined, segregation of duties is addressed.
There are multiple controls to safeguard facilities, equipment and resources from any unauthorized access, damage, or harm (such as fire, theft, visitor etc.). There are multiple controls including 24/7 perimeter security with power backup, CCTV, Security guards, biometric & access cards, lockers to keep documents, Shredding bins, visitor management, material in & out management, , Fire detections, Fire mitigation, Fire fighters, Drills, Emergency Response team and preventive maintenance of equipment.
Change Management policy & procedure are followed for changes including process, systems, applications, configuration, or infrastructure changes.
Third Party Controls include vendor due diligence, Risk assessment,
Signing NDA, DPA, Contract, Code of conduct, SOW. Further controls include Information security and privacy awareness, ongoing performance monitoring and annual audits and adequacy controls for any cross-border data transfer.
Data Inventory, Data flow diagrams and records of processing are kept. AuthBridge retains different category of data as per the time periods defined in the AuthBridge’s Data Retention Policy. Customer data is retained as per the retention period agreed through the customer contract. Data is destroyed using the appropriate technique to ensure its adequate and secure destruction.
Business Continuity Management is ensured through highly resilient and redundant architecture, regular and systematic on-site & off-site backups for all business-critical applications and servers as per the defined frequencies. Processes are designed to minimize human dependencies; critical roles are identified, and backups are created. Periodic testing of business continuity & disaster recovery plans is conducted, and continual improvement actions are taken.
ARS takes proactive approach to ensure safeguarding and protection of personal data. We use Privacy By design principles while creating any application/software and during entire product, project management and services development life cycles, from classifying data at its point of collection through properly destroying that data at the end of its life cycle. Foundational concepts of Privacy by Design into our projects and products include controls not limited to data flow maps, minimization, risk assessment, purpose -specification , limitation and use, retention, security and access control.
Employees play pivotal role in the success of security & privacy controls. Keeping them aware about threats to data privacy and information security is an ongoing and dynamic process at AuthBridge. We have an information security and privacy awareness policy- training are imparted at the time of joining, at regular intervals for all the employees and on need basis. Also, other trainings like GDPR awareness, Business Continuity & Disaster Recovery Management, Incident management, Change Management, Fire-fighter are imparted to respective stakeholders at the regular intervals.
Though AuthBridge has the best possible controls to protect privacy of your Personal Data from any security incident, however, to respond to any such incident/breach, we have an Incident Management Policy and aligned procedure implemented. It’s a thought through step by step approach consisting of preparation, detection & reporting, analysis, containment, eradication, recovery, and lesson learnt.
No system can be improved unless monitored. There is ongoing monitoring for security controls to validate effectiveness and monitoring of events to respond quickly. Some of the monitoring controls include Log review of systems, servers, networking devices, applications, Internet traffic and Network analysis for any anomaly or suspicious behavior.
Dashboard for different schedules such as back-up, patch updates, VAPT, changes etc. There are regular internal audits and frequent external security audits for security & privacy. Based on the findings out of all these monitoring, audits and testing and periodic risk assessment, corrective action plans are made, and actions are taken.
Keep yourself updated with the latest innovations in BGV & Authentication Technology from India’s leading Background Verification Company