Data Security and Data Governance.

Information and Data Classification

Data Strategy Overview:

Building and driving businesses using data is of utmost necessity for every organisation. Building a Data strategy around the organisation will not only help to develop informed and mature data culture within the organisation, it will lead to intelligent decision making, better product and will help to serve clients and end users better. The important touch points are as follows:

Data Governance:

Ensuring the data doesn't become a Liability: Data Governance

Businesses are collecting and analysing ever increasing amounts of data and trying to make better decisions, run their operations more efficiently and targeting for more profitability in the days to come. There are significant hurdles around data ownership, privacy and security to overcome, ignoring which can turn data from being a huge asset to a potentially liability. As regulations are being introduced to tighten up how companies collect, store and use data. Proper consideration of these issues comes under the umbrella of ‘Data Governance’.

Many businesses do brilliant things using third party data and the wealth of data providers can be beneficial to companies to an extent. However, in the case of Refyne Tech, it is very important to own any data points trusted on us by our end users, clients and LMS/Banking partners.

Wherever possible we own the data that is crucial to Refyne's operations, revenue and critical decision making processes. It is easy enough for the internal data but it is admittedly less straightforward with the external data. To ensure the correct access is in place for the users as and when needed for the access control and defining the Metadata/Logs for the information/data collected from/transferred to third parties/end users/clients/lms or banking partners/internal stakeholders.

It is to ascertain data access(es) is/are provided to responsible individuals as per the business need and make them aware regarding its fair usage for the purpose of business operation/analytics/processing only.

When we’re talking about ‘big’ data, there is a great value in a ‘less is more’ approach. Sitting on vast amounts of un-utilised data is not only an expensive approach, it is also tedious to store and process/analyse them in an attempt to extract means without a purpose.

Addressing Privacy concerns

At Refyne Tech we always have to be mindful/cognizant of these user Rights and take steps according to as/when/how/what consent the end users are providing/revoking/updating.

Also to make sure the full disclosure to the user is given in the mode of the Terms and Conditions, Publicly available Privacy Policy and timely ad hoc consents obtained by the users via OTP/Email/Voice Call Notification/CTA on app/Pop ups as and when required.

Refyne Tech also has to ensure and draw up SOPs in case the user revokes any of the consents, the Data of the user to be processed/not-processed/erased accordingly.

The privacy policy of Refyne Tech is detailed here.

Practising and Implementing Good Data Governance:

Data Governance refers to the overall management and caretaking of data, covering its usability, integrity and security. Refyne Tech is cognizant of the moral and the legal requirements and regulations concerning every step of our data operations and have firm policies and procedures in place to govern every step. It goes beyond data security, ownership and privacy; it extends to having policies in place to determine exactly who has access to data, and who is responsible for maintaining the quality and accuracy of that data. A big part of enforcing this relies on building the informed and correct data culture within the organisation.

From time to time these best practices need to be conveyed (KT sessions) to the stakeholders including the Tech / Product (B2B & B2C) / Sales & Operations / Implementations / Customer Experience / Client engagements / Marketing etc to educate/remind them about its Benefits and Shortcomings if missed otherwise.

Data Retention and Purging Policies

Refyne Tech has detailed retention and purging policies to ensure compliance with any change in statute / law; or changes in the policies and procedures of the company; or process improvements; or correct any errors or omissions in the manual; or potential or ongoing Litigation/ Preservation notice or any other reason that necessitates such deviation.

The data retention strategies are as per the Indian laws (Companies Act, 1956 / Companies Act, 2013, Depository Act, Others- Including Income & Other taxes). Refyne Tech takes cognisance of alignment with SEBI (Listing Obligation and Disclosure Requirements) Regulations, 2015, Prevention of Money Laundering Act and rules made there under read with RBI circulars in respect thereof shall be preserved and maintained for a period of five years from the date of its event, unless specified under the any other Act or Rules, for longer duration.

FAQ's

Does Refyne have a business continuity plan/disaster recovery plan?
Yes, Refyne has a Business Continuity Plan that is reviewed and tested annually.

Is Refyne's Security Program aligned with industry standards?
Yes. Refyne, Inc maintains a formal Security Assurance department responsible for monitoring and reporting on Refyne's compliance with various security frameworks.

Does Refyne hold any 3rd Party Compliance Attestations?
Yes. Refyne, Inc currently has ISO 27001 certification, VAPT certifications with CERT empaneled vendor and other industry self-attestations that can be provided under the NDA.

Does Refyne have an incident response plan?
Yes. Refyne, Tech has a documented Incident Management Plan that includes identification, containment, remediation and communication throughout the lifecycle of an incident.

Does Refyne regularly undergo penetration testing by a 3rd party firm?
Yes. Refyne Tech contracts with a third party service provider to conduct annual penetration tests of our infrastructure and product. Refyne requires an NDA to be in place prior to providing the annual report. that includes identification, containment, remediation and communication throughout the lifecycle of an incident.

Have you defined a policy, procedure and guidelines for end point devices (Laptops/Workstations/Mobile devices) connecting the corporate network?
End Point Security is a top priority in the org/premises setup to prevent any untoward attacks, and the entire organisation is behind a secure restricted firewall. The devices are managed and controlled with EPS solutions to define access controls and prevent any mis-use of information/data. The audit's are done on a periodic and event based schedule to ensure compliance.

How is Refyne ensuring physical security in place?
Entry and exit doors alarmed (forced entry, propped open) and/or monitored by security guards, there are adequate process available to maintain Fire equipments and environmental controls (UPS, DG etc.,), there are adequate controls enabled on surveillance systems (CCTV cameras) to monitor activities in critical work areas, and detailed visitor management policies. In addition, Refyne Tech ensures periodic security awareness training to the entire workforce.

How does Refyne manage Assets?
Refyne has processes in place to ensure accurate inventory of all systems (Automated / Manual solutions, including hardware and software discovery). An Asset management policy (part of ISO 27001 certification) details out the asset inventory, ownership, acceptable use, information classification policies, media handling processes and clean desk policies.

How does Refyne manage Third Party risk?
Refyne Tech does third party risk management assessment to capture cyber security risks related to any third parties/4th parties that requires engagement or onboarding. However, at this point of time, Refyne is focussed on in-house development and building durable capabilities.

Does Refyne Tech depend on any cloud providers to support customer services?
Yes. Refyne Tech is deployed on AWS cloud provider with deployment model following Infrastructure as a Service (IaaS) pattern.

Does Refyne encrypt my data in transit and at rest?
Yes. Refyne, Inc utilises TLS Strict, HTTPS, and Universal SSL to encrypt data in transit. Data is encrypted at rest using AWS Cloud Platform supporting AES-256.

Does Refyne perform backups?
Yes. Refyne performs backups with continuous incremental data. Backups are encrypted and tested regularly.

Is Refyne storing customer data?
Yes, in order to provide the key EWA service, Refyne Tech stores processes and stores customer data in hosted environment secured within Virtual Private Cloud setup on Public Cloud viz Amazon AWS.In order to process the earned salary, RTPL does require and store specific fields that include Name, Phone number, Email address, employment status and monthly salary.

What are the data attributes that Refyne stores?
Certain data points like email, phone number, address, age, gender, bank account number, PAN etc are collected in order to comply with the regulatory mandates.