Data Storage Policy
BASIC Home Loan recognizes the critical importance of data storage in ensuring the security, integrity, and availability of its information assets. This Data Storage Policy outlines the guidelines and procedures for the secure storage, retention, and disposal of data throughout its lifecycle.
1.1 Data Classification
- All data shall be classified based on its sensitivity, criticality, and regulatory requirements.
- Data classification levels include: Confidential, Restricted, Internal, and Public.
- The classification level determines the appropriate level of security controls and access restrictions applied to the data.
1.2 Data Storage Locations
- Basic Home Loan Enterprises using AWS cloud servers based in India to store all its data.
1.3 Data Encryption
- Confidential and Restricted data shall be encrypted at rest and in transit using industry-standard encryption algorithms.
- Encryption keys shall be securely managed and stored separately from the encrypted data.
- Encryption shall be applied to data stored on servers, databases, backup media, and portable devices.
1.4 KYC Data:
- Collected as required by law and only to the extent necessary for processing loans.
- Processed following stringent security measures to ensure data protection.
- Securely purged from our systems once processing is complete, following the defined
- Data
retention schedule, which includes:
- Verification that processing is complete.
- Secure deletion using industry-standard data erasure techniques.
- Documentation of the data deletion for compliance and auditing purposes.
1.5 Access Control
BASIC Home Loan employs a robust two-fold approach to manage security permissions and access controls across its applications, ensuring data protection at both the API and UI levels:
- Data
Visibility Access Control:
- Data visibility access controls govern the level of data that users can access based on their roles and responsibilities.
- Access to sensitive data is restricted to authorized personnel only, following the principle of least privilege.
- Data classification levels (Confidential, Restricted, Internal, and Public) determine the granularity of access controls applied to each data set.
- Role-based access control (RBAC) is implemented to ensure that users can only view and interact with data relevant to their job functions.
- Regular reviews and audits of data visibility access controls are conducted to maintain the integrity and confidentiality of stored data.
- User
Operations Controls:
- User operations controls govern the actions a user can perform on the data they have access to, based on their assigned permissions.
- Granular permissions are defined for each user role, specifying allowed operations such as view, create, update, or delete.
- Segregation of duties is enforced to prevent unauthorized modifications and maintain the integrity of data.
- Privileged operations, such as bulk data exports or system configuration changes, require additional approvals and are closely monitored.
- Access logs and audit trails are maintained to track user activities and detect any suspicious or unauthorized operations.
- Multi-factor authentication is implemented for critical operations to provide an additional layer of security.
1.6 Data Backup and Retention
- Regular data backups shall be performed to ensure the recoverability of data in case of incidents or disasters.
- Backup frequency and retention periods shall be determined based on the criticality of the data and regulatory requirements.
- Backups shall be stored in secure, geographically dispersed locations to mitigate the risk of data loss.
1.7 Data Disposal
- Data that has reached the end of its retention period or is no longer required shall be securely disposed of.
- Disposal methods, such as secure deletion, overwriting, or physical destruction, shall be used based on the sensitivity of the data.
- A record of data disposal activities shall be maintained for audit and compliance purposes.
1.8 Third-Party Data Storage
- When using AWS Servers or any other service provider’s Servers for data storage due diligence shall be conducted to ensure that their security practices align with BASIC Home Loan's requirements.
- Contractual agreements with AWS or any other third parties shall include provisions for data confidentiality, security, and audit rights.
- Regular monitoring and audits shall be conducted to ensure that AWS and/or other third parties adhere to the agreed-upon security standards.
1.9 Incident Notification: BASIC Home Loan employees / Agents / consultants shall promptly report of any data breaches, security incidents, or unauthorized access to BASIC Home Loan's data.
1.10 Vendor Management
BASIC Home Loan recognizes the importance of ensuring that its vendors and third-party service providers adhere to stringent data storage and security standards. To mitigate risks associated with vendor access to sensitive data, the following vendor management practices shall be implemented:
- Due Diligence: Prior to engaging with a vendor, a thorough due diligence process shall be conducted to assess their data storage practices, security controls, and compliance with relevant regulations and industry standards.
- Contractual Agreements: Contractual agreements with vendors shall include clear provisions regarding data storage, confidentiality, security responsibilities, and audit rights. The agreements shall specify the vendor's obligations to protect BASIC Home Loan's data and the consequences of any breaches or non-compliance.
- Access Control: Vendor access to BASIC Home Loan's data shall be restricted based on the principle of least privilege. Vendor personnel shall only be granted access to the specific data required to perform their contracted services. Access rights shall be regularly reviewed and revoked upon contract termination.
- Security Requirements: Vendors shall be required to implement and maintain robust security controls, including encryption, access controls, and monitoring, to protect BASIC Home Loan's data stored within their systems.
- Data Localization: Vendors shall be required to store and process BASIC Home Loan's data within the specified geographic boundaries, in compliance with applicable data localization regulations.
- Monitoring and Audits: BASIC Home Loan shall conduct regular monitoring and audits of its vendors' data storage practices to ensure ongoing compliance with the agreed-upon security standards. Vendors shall cooperate with these audits and promptly address any identified vulnerabilities or non-conformances.
- Incident Notification: Vendors shall be contractually obligated to notify BASIC Home Loan promptly in the event of any data breaches, security incidents, or unauthorized access to BASIC Home Loan's data.
- Termination and Data Retrieval: Upon termination of the vendor contract, BASIC Home Loan shall ensure that all its data is securely retrieved from the vendor's systems and any remaining copies are securely destroyed. The vendor shall provide written confirmation of data deletion.
1.11 Compliance and Audit
- Data storage practices shall comply with relevant laws, regulations, and industry standards, such as the Personal Data Protection Bill and RBI guidelines.
- Regular internal and external audits shall be conducted to assess the effectiveness of data storage controls and identify areas for improvement.
- Audit findings and recommendations shall be addressed in a timely manner to maintain the security and integrity of stored data.
2.0 Employee Training and Awareness
- Basic Home Loan plan to provide all employees a regular training on data storage policies, procedures, and best practices.
- Awareness programs shall be conducted to educate employees about their responsibilities in handling and protecting stored data.
By adhering to this Data Storage Policy, BASIC Home Loan aims to safeguard its valuable data assets, maintain the trust of its customers and stakeholders, and ensure compliance with legal and regulatory requirements.