Back to Home

Data Protection Policy

Version 1.0 · Confidential · Mitigata Insurance Brokers Pvt. Ltd.

This document is confidential and intended for internal use only. All information contained herein is subject to applicable laws and regulations. Unauthorized reproduction, distribution, or disclosure of its contents is prohibited.

1. Purpose

This Data Protection Policy establishes a comprehensive framework for protecting personal data and sensitive information processed by Alphawave Technologies Private Limited, ensuring compliance with applicable data protection regulations and maintaining the confidentiality, integrity, and availability of data. The policy aims to:

  • Protect Personal Data — Safeguard customer, employee, and partner data against unauthorized access, loss, or misuse.
  • Ensure Compliance — Align with ISO 27001:2022, GDPR, CCPA, DPDPA, and contractual SLAs.
  • Mitigate Risks — Prevent data breaches and minimize the impact of incidents through proactive measures.
  • Maintain Trust — Foster confidence among customers, partners, and stakeholders through transparent data practices.
  • Support Accountability — Define roles, responsibilities, and procedures for data protection across the organization.

2. Scope

This policy applies to:

  • Data — All personal data (e.g., customer PII, employee records), sensitive business data (e.g., intellectual property, financial records), and operational data processed by Alphawave.
  • IT Systems — All hardware (laptops, servers), software (SaaS applications, APIs), cloud services (AWS EC2, S3, RDS), and network infrastructure.
  • Personnel — Employees, contractors, consultants, and temporary workers across DevOps, Product Development, Customer Support, QA, HR, IT, Admin and Physical Security, Infosec and Compliance, Finance, and Legal.
  • Dependencies — Third-party providers including Cloud Service Providers (e.g., AWS), API vendors, and payment processors.
  • Exclusions — Non-personal data not subject to regulatory requirements and external parties not directly processing Alphawave's data.

3. Roles and Responsibilities

  • Data Protection Officer (DPO) — Sarthak Dubey, COO. Oversees data protection, ensures compliance, manages regulatory reporting.
  • IT Security Team — Implements technical controls (encryption, access controls) and monitors data security.
  • System Administrators — Configure systems to comply with data protection requirements (encryption, backups).
  • Compliance Officer — Verifies adherence to GDPR, CCPA, DPDPA, ISO 27001:2022; conducts audits.
  • HR Manager — Manages employee data protection training and insider threat investigations.
  • Employees / Contractors — Handle data responsibly, report breaches, complete mandatory training.
  • Third-Party Vendors — Comply with data protection requirements and provide compliance reports per SLAs.

4. Data Protection Principles

  • Lawfulness, Fairness, and Transparency — Process data lawfully and transparently with clear justification (consent, contractual necessity).
  • Purpose Limitation — Collect data only for specified, legitimate purposes (SaaS platform services, customer support).
  • Data Minimization — Collect and process only the data necessary for the intended purpose.
  • Accuracy — Ensure data is accurate and updated as needed, with mechanisms for correction.
  • Storage Limitation — Retain data only for as long as necessary (e.g., 7 years for audit logs under DPDPA).
  • Integrity and Confidentiality — Protect data against unauthorized access, loss, or alteration using encryption and access controls.
  • Accountability — Document and demonstrate compliance through policies, audits, and training.

5. Data Protection Procedures

5.1 Data Collection and Processing

  • Obtain explicit consent for processing personal data via the SaaS platform or support portal.
  • Provide clear privacy notices detailing data usage and rights.
  • Classify data as Public, Internal, Confidential, or Restricted — Confidential/Restricted requires encryption and restricted access.
  • Maintain a data inventory in an AWS-based CMDB, updated monthly by System Administrators.

5.2 Data Security

  • Encrypt data at rest (AES-256) and in transit (TLS 1.2+) using AWS KMS.
  • Use client-side encryption for sensitive uploads to the SaaS platform.
  • Implement role-based access control (RBAC) and multi-factor authentication (MFA) for all systems.
  • Restrict access to Confidential/Restricted data to authorized personnel via AWS IAM roles.
  • Use AWS VPCs to segment data storage (RDS, S3) into private subnets with security groups.
  • Deploy AWS WAF to protect internet-facing applications from attacks.

5.3 Data Storage and Retention

  • Store personal data in AWS Mumbai (ap-south-1) to comply with DPDPA data residency requirements.
  • Use encrypted S3 buckets with versioning for backups, per the Disaster Recovery Policy.
  • Retain personal data only for the duration required by law or business needs (e.g., customer data for 7 years post-contract per DPDPA).
  • Delete or anonymize data after retention periods using secure deletion tools (e.g., AWS S3 lifecycle policies).

5.4 Data Sharing and Third-Party Management

  • Share data only with authorized personnel on a need-to-know basis, tracked via AWS CloudTrail.
  • Use encrypted communication channels (Slack, Signal) for sensitive data transfers.
  • Execute Data Processing Agreements (DPAs) with third-party vendors (AWS, API providers) to ensure compliance with GDPR, CCPA, DPDPA.
  • Conduct annual vendor audits to verify data protection practices.

5.5 Data Subject Rights

  • Honor data subject requests (access, correction, deletion, portability) within 30 days, per GDPR/DPDPA.
  • Provide a dedicated portal for customers to submit requests.
  • Log requests in the IT ticketing system, with responses coordinated by the Customer Support Team.
  • Verify requester identity using MFA or secure methods before processing.

6. Data Breach Response

  • Detect breaches using AWS GuardDuty, CloudWatch, and Splunk, with alerts to the IT Security Team within 15 minutes.
  • Report breaches internally via the IT ticketing system or security@alphawave.com within 1 hour, per the SIRP.
  • Follow the SIRP for containment, eradication, and recovery (isolate affected systems within 1 hour, restore from backups within 90 minutes).
  • Notify affected customers within 72 hours via email and status page, per GDPR/DPDPA.
  • Report to regulatory authorities (CERT-In, EU DPA) within 72 hours, coordinated by the DPO.
  • Conduct a post-incident review within 72 hours, documenting lessons learned in a secure AWS S3 bucket.
  • Update risk assessments and mitigation plans, per the Risk Remediation Plan.

7. Monitoring and Auditing

  • Monitor data access and processing using AWS CloudTrail, GuardDuty, and Splunk, with alerts for unauthorized activities within 15 minutes.
  • Review data handling practices monthly to ensure compliance with this policy.
  • Conduct quarterly audits of data protection practices using AWS Config and external tools (e.g., Qualys).
  • Retain audit logs for 7 years in a secure AWS S3 bucket, per GDPR/DPDPA.

8. Training and Awareness

  • Conduct mandatory bi-annual training on data protection principles, regulatory requirements, and breach reporting.
  • Include role-specific modules for Customer Support, DevOps, and IT Security.
  • Perform quarterly phishing simulations to test employee awareness.
  • Conduct annual tabletop exercises to simulate data breach scenarios.

9. Third-Party Management

  • Require vendors to comply with data protection standards (ISO 27001:2022, GDPR) via DPAs.
  • Conduct annual vendor audits to verify data protection controls, with results reported to the Compliance Officer.
  • Ensure AWS configurations (S3 bucket policies, IAM roles) align with data protection requirements.
  • Review AWS Shared Responsibility Model compliance quarterly.

10. Policy Review and Updates

  • Review the policy annually or after significant changes in regulations (e.g., DPDPA amendments), technology (e.g., new AWS services), or processes.
  • Reviews conducted by the DPO in coordination with the IT Security Team and Compliance Officer.
  • Updates proposed by the DPO, approved by the CISO and senior management, and communicated via training and internal announcements.
  • Updated policies stored in a secure AWS S3 bucket, accessible to all employees.

11. Enforcement

All employees, contractors, and third-party vendors must adhere to this policy. Non-compliance (mishandling data, bypassing encryption) results in:

  • First Offense — Written warning and mandatory retraining within 14 days.
  • Second Offense — Suspension and review by HR and the CISO.
  • Repeat Violations — Termination or contract cancellation, as determined by HR and the CISO.
  • Employees report violations via the IT ticketing system or anonymously through the whistleblower portal.
  • Violations investigated by the Infosec and Compliance Team within 48 hours.

Data Protection Officer

dpo@mitigata.com

Security Incidents

security@mitigata.com

Grievance Officer

ankit.m@mitigata.com

Registered Office

Second Floor, Gayathri Mansion, 80/3, Outer Ring Rd, Bellandur, Bengaluru, Karnataka 560103

Mitigata Insurance Brokers Pvt. Ltd.

A subsidiary of Alphawave Technologies Private Limited

IRDAI Registration No.: IRDAI/INT/BRK/DB 1115/2024CIN: U66220KA2024PTC186580