1. Purpose
The purpose of this Information Security Policy is to safeguard the confidentiality, integrity, and availability of data, including customer information, financial records, and intellectual property, across our online and physical retail operations.
2. Scope
This policy applies to all employees, contractors, and third-party service providers of Zupper Commerce Private Limited (“Company”). It covers all forms of data storage and handling, including but not limited to digital and physical formats, and addresses information security risks across our e-commerce platform and physical retail stores.
3. Data Protection and Privacy
3.1 Customer Information: Collect only the necessary customer data and ensure its protection in compliance with applicable laws.
3.2 Encryption: Encrypt sensitive data at rest and in transit using industry-standard protocols.
3.3 Access Control: Grant data access based on the principle of least privilege and ensure strict authentication and authorization processes.
4. Network Security
4.1 Firewall Management: Deploy firewalls to monitor and control incoming and outgoing network traffic for both online and store-based systems.
4.2 Secure Wi-Fi: Use secure and encrypted Wi-Fi networks in physical stores. Guest and employee networks should be segregated.
4.3 Vulnerability Management: Regularly update software, including operating systems and applications, to fix security vulnerabilities.
5. Physical Security (For Physical Stores)
5.1 Restricted Areas: Limit access to sensitive areas like server rooms or storage rooms to authorized personnel only.
5.2 Surveillance Systems: Install and maintain security cameras at key areas, such as entrances, exits, and points of sale.
6. Online Store Security
6.1 SSL Certificates: Ensure all data transferred between the online store and customers are encrypted using SSL (Secure Sockets Layer certificate).
6.2 Payment Security: Use compliant payment gateways for processing financial transactions securely.
6.3 Website Monitoring: Regularly scan the website for vulnerabilities and monitor for any suspicious activity or potential breaches.
7. Inventory Management
7.1 System Access: Control and monitor access to inventory management systems to prevent unauthorized data manipulation.
7.2 Data Backup: Implement regular data backups for critical inventory information and store them securely, both on-site and off-site.
8. Employee Training
8.1 Security Awareness: Conduct regular training sessions on information security best practices, including phishing awareness and password management.
8.2 Reporting Procedures: Establish clear reporting procedures for employees to report any suspected security incidents or breaches.
9. Incident Response Plan
9.1 Response Team: Designate an incident response team responsible for handling security incidents.
9.2 Investigation and Reporting: Document and investigate all incidents and notify affected parties and regulatory bodies, as required.
9. Third-Party Security
10.1.1 Vendor Management: Evaluate the security practices of third-party vendors and ensure they comply with our security standards.
10.1.2 Data Sharing Agreements: Establish data-sharing agreements that outline the expectations and responsibilities of vendors handling sensitive information.
11. Data Retention and Disposal
11.1 Data Retention: Retain data only for as long as necessary to fulfil business and legal requirements.
11.2 Secure Disposal: Implement secure methods for data disposal, including shredding physical documents and wiping digital records.
12. Monitoring and Auditing
12.1 Regular Audits: Perform periodic audits of information security practices to ensure compliance and identify potential improvements.
12.2 Log Management: Maintain logs of user activity for review and analysis in case of a security incident.
Compliance and Enforcement
Failure to adhere to this policy may result in disciplinary action, including termination of employment and legal proceedings if applicable.
Approval and Revision History
– Approved by: Mohammed Irfan Shaik, Co-Founder & CEO
– Revision Date: 01/05/2025
