Back to Home

Data Management, Retention, and Privacy Policy

Version 1.0 · Confidential · Mitigata Insurance Brokers Pvt. Ltd.

This document is confidential and intended for internal use only. All information contained herein is subject to applicable laws and regulations. Unauthorized reproduction, distribution, or disclosure of its contents is prohibited.

1. Purpose and Scope

The Data Management, Retention, and Privacy Policy for Alphawave Technologies Private Limited (parent of Mitigata Insurance Brokers Pvt. Ltd.) establishes a comprehensive framework to ensure the secure, compliant, and efficient handling, retention, and protection of data. The policy aims to:

  • Safeguard the confidentiality, integrity, and availability of data — customer data, operational data, and intellectual property critical to the SaaS platform.
  • Ensure compliance with ISO 27001, GDPR, CCPA, DPDPA, CERT-In, and other applicable regulations.
  • Define clear retention periods and disposal processes to manage the data lifecycle effectively.
  • Protect data subject rights and maintain trust through transparent privacy practices.
  • Integrate with the Business Continuity Plan (BCP) and Incident Management Policy to enhance resilience.

Scope

  • All employees, contractors, consultants, temporary staff, interns, visitors, and third-party vendors handling or accessing the organization's data, IT infrastructure, cloud services (AWS, Azure, Google Cloud), or operational systems.
  • All data types — customer data (PII, payment details), operational data, financial records, and intellectual property.
  • All IT assets — endpoints (laptops, desktops, mobile devices), servers, network devices, applications, databases, and APIs.
  • All business operations — SaaS platform delivery, customer support, billing, payment processing, and internal processes.
  • Data handling, storage, and processing — ensuring compliance with data localization (storing customer data in India per DPDPA) and privacy regulations.

2. Policy Statement

Alphawave Technologies Private Limited is committed to managing data responsibly, retaining it only as long as necessary, and protecting the privacy of data subjects. The organization adopts a data protection by design and default approach, ensuring data is collected, processed, stored, and disposed of securely and compliantly. Data management practices adhere to data minimization, purpose limitation, and lawful basis principles. Retention schedules are strictly enforced, and data privacy rights are upheld through transparent processes and robust security controls. The organization ensures compliance with ISO 27001, GDPR, CCPA, DPDPA, and CERT-In, fostering trust with clients and stakeholders through continuous training, auditing, and incident response readiness.

3. Roles and Responsibilities

  • Compliance Officer (GRC Manager) — Oversees policy development, enforcement, and compliance with ISO 27001, GDPR, CCPA, DPDPA, CERT-In. Conducts audits, reports incidents to senior management, and coordinates with regulators.
  • IT Recovery Lead (Anuj Kumar, IT Director) — Manages storage, encryption, backups, and recovery. Aligns controls with RTO/RPO targets and oversees DLP and encryption solutions.
  • BCP Coordinator (Mayank Morya, CTO) — Ensures data practices support the BCP; approves retention schedules and disposal processes for critical systems.
  • Operations Head (Sarthak Dubey, COO) — Defines data handling for customer support and billing; manages customer privacy communications and breach notifications.
  • HR Manager — Coordinates data management training; maintains training records and data handling agreements; manages employee data per privacy regulations.
  • System Administrators — Implement and maintain encryption, access controls, backups; execute archiving and disposal; monitor access logs.
  • SOC Team — Monitors data activities 24x7 using SIEM and DLP; detects and escalates breaches; generates security reports.
  • Data Protection Officer (DPO) — Primary point of contact for privacy matters; conducts Privacy Impact Assessments (PIAs); ensures GDPR/CCPA/DPDPA compliance; advises on consent and cross-border transfers.
  • Employees and Contractors — Adhere to policies, complete mandatory training, report incidents immediately, comply with security controls, respect data subject rights.
  • Third-Party Vendors — Comply with Alphawave's policies and contractual obligations; implement equivalent controls; report incidents within 24 hours; provide evidence of training and compliance during audits.

4. Data Management Principles

4.1 Data Classification

  • Confidential — Customer PII (names, emails, payment details), financial records, intellectual property (source code).
  • Sensitive — Internal business data (operational plans, employee records, internal APIs).
  • Public — Marketing materials, public-facing website content, open APIs.
  • Data is tagged with classification labels in storage and transit to enforce security controls.

4.2 Data Collection and Processing

  • Collect only data necessary for a specific, lawful purpose (data minimization).
  • Ensure data is accurate, up-to-date, and processed with explicit consent or legal basis.
  • Document data processing activities in a centralized data inventory.

4.3 Data Storage and Security

  • Store data in secure, encrypted environments (AWS ap-south-1) compliant with data localization requirements.
  • Protect data with AES-256 encryption at rest and TLS 1.3 in transit.
  • Restrict access to authorized roles based on Principle of Least Privilege (PoLP) and Role-Based Access Control (RBAC).

4.4 Data Access and Sharing

  • Access is granted only to authorized personnel with a legitimate business need.
  • Data sharing with third parties requires contractual agreements and compliance with privacy regulations.
  • Use secure channels (encrypted APIs, SFTP) for data transfers.

5. Data Retention Principles

5.1 Retention Periods

  • Retain data only as long as necessary to fulfill its purpose or meet regulatory requirements.
  • Define retention periods based on data type, regulatory obligations, and business needs.
  • Regularly review retention schedules to ensure compliance and relevance.

5.2 Data Archiving

  • Archive data no longer actively needed in secure, encrypted, and access-restricted repositories.
  • Ensure archived data remains retrievable for audits or legal purposes.
  • Limit access to archived data to authorized personnel with Multi-Factor Authentication (MFA).

5.3 Data Disposal

  • Dispose of data securely when retention periods expire, using methods that prevent recovery (data wiping, shredding).
  • Certify disposal processes to ensure compliance with privacy regulations.
  • Maintain records of disposal activities for audit purposes.

6. Data Privacy Principles

6.1 Lawful Basis for Processing

  • Process data only with a lawful basis (consent, contract, legal obligation) per GDPR, CCPA, and DPDPA.
  • Document the lawful basis for each data processing activity in the data inventory.
  • Cease processing if the lawful basis no longer applies, unless required by law.

6.2 Data Subject Rights

Uphold data subject rights, including:

  • Access — Right to view personal data held by the organization.
  • Rectification — Right to correct inaccurate data.
  • Erasure — Right to request data deletion (subject to legal obligations).
  • Restriction — Right to limit data processing.
  • Portability — Right to receive data in a machine-readable format.
  • Objection — Right to object to processing (e.g., for marketing).
  • Respond to data subject requests within 30 days (GDPR/CCPA) or as per DPDPA timelines.

6.3 Consent Management

  • Obtain explicit, informed consent for processing personal data when required.
  • Provide clear, accessible mechanisms for granting, reviewing, and withdrawing consent.
  • Maintain records of consent for audit and compliance purposes.

6.4 Data Minimization

  • Collect and process only the minimum data necessary for the intended purpose.
  • Regularly review data collection practices to eliminate unnecessary data points.
  • Anonymize or pseudonymize data where possible to reduce privacy risks.

6.5 Data Protection by Design and Default

  • Embed data protection principles into system design, processes, and operations.
  • Configure systems to default to the most privacy-preserving settings (minimal data access, encryption enabled).
  • Conduct Privacy Impact Assessments (PIAs) for new systems or processes handling personal data.

7. Data Management Procedures

7.1 Data Inventory and Mapping

  • Maintain a centralized data inventory documenting all data types, sources, purposes, and storage locations.
  • Map data flows to identify collection, processing, storage, and sharing activities.
  • Update the inventory quarterly or upon significant changes (new systems, vendors).
  • Use Data Governance tools (Collibra, OneTrust) to automate inventory and mapping.
  • Restrict inventory access to the Compliance Officer, DPO, and authorized auditors.

7.2 Data Security Controls

  • Encryption — AES-256 for data at rest; TLS 1.3 for data in transit.
  • Access Controls — Enforce PoLP, RBAC, and MFA for all data access; use Privileged Access Management (PAM) for sensitive data and systems.
  • DLP — Deploy Data Loss Prevention tools to detect and prevent unauthorized data exfiltration.
  • Monitoring — Use SIEM and XDR tools to monitor data access and detect anomalies in real-time.

7.3 Data Backup and Recovery

  • Schedule daily backups of critical data (customer databases, billing records) to encrypted, off-site storage.
  • Test backup integrity and restoration processes quarterly.
  • Restore data within RPOs (e.g., 1-hour data loss limit) during incidents.
  • Verify restored data for integrity and security before resuming operations.
  • Maintain geo-redundant backups across AWS regions (ap-south-1, ap-southeast-1).

7.4 Third-Party Data Management

  • Assess vendors' data security and privacy practices before sharing data.
  • Require vendors to provide SOC 2 Type II, ISO 27001, or equivalent certifications.
  • Include data protection clauses in contracts mandating compliance with Alphawave's policies.
  • Require vendors to notify Alphawave of data incidents within 24 hours.
  • Conduct annual vendor audits to verify data handling compliance.

8. Data Retention Procedures

8.1 Retention Schedule

Examples of retention periods applied across data categories:

  • Customer Data — Retain for 5 years post-contract per DPDPA, unless requested for deletion.
  • Financial Records — Retain for 7 years per Indian tax laws.
  • Employee Records — Retain for 5 years post-employment per labor laws.
  • Logs (Access, Incident) — Retain for 5 years for critical systems, 3 years for others.
  • Public Data — Retain indefinitely unless obsolete or requested for removal.
  • Document retention periods in a centralized retention schedule, reviewed annually.
  • Automate retention tracking using Data Governance tools.
  • Extend retention for legal holds or regulatory investigations, with approval from the Compliance Officer.

8.2 Archiving Process

  • Move inactive data to a secure, encrypted archive repository after active use ends.
  • Restrict archive access to authorized personnel with MFA and PAM controls.
  • Maintain metadata for retrievability (data type, retention period, access history).
  • Use cloud-based archives (AWS S3 Glacier) with geo-redundancy and encryption.
  • Conduct semi-annual archive audits to verify security and compliance.

8.3 Secure Data Disposal

  • Digital Data — Use secure wiping tools (NIST 800-88 compliant) to overwrite data.
  • Physical Media — Shred or incinerate physical records and storage devices.
  • Identify data eligible for disposal based on retention schedules.
  • Obtain approval from the Compliance Officer and DPO before disposal.
  • Certify disposal with documented evidence (destruction certificates).
  • Conduct annual disposal audits to verify compliance and completeness.

9. Data Privacy Procedures

9.1 Privacy Impact Assessments (PIAs)

  • Conduct PIAs for new systems, processes, or vendors handling personal data.
  • Assess data processing risks, including privacy, security, and compliance impacts.
  • Identify mitigation measures (encryption, anonymization).
  • Document findings and obtain DPO approval before implementation.
  • Review PIAs annually or upon significant changes to data processing activities.

9.2 Data Subject Request Handling

  • Receive requests via a dedicated privacy portal or email (privacy@mitigata.com).
  • Verify requester identity using secure methods (MFA, ID checks).
  • Respond within 30 days (GDPR/CCPA) or as per DPDPA timelines, providing requested data or actions.
  • Log all requests, responses, and timelines in a privacy management system.
  • Escalate complex requests to the DPO and Compliance Officer for resolution.

9.3 Breach Notification

  • Internal — Report breaches to the SOC Team and IRT within 1 hour of detection; escalate to Compliance Officer and DPO.
  • Customer — Notify affected customers within 24 hours of confirmed personal data breaches via email, status page, and social media.
  • Regulatory — Report to CERT-In within 6 hours for critical incidents; notify GDPR authorities within 72 hours for personal data breaches; comply with DPDPA timelines for Indian data breaches.
  • Documentation — Maintain detailed breach records, including impact, response, and notifications.

9.4 Cross-Border Data Transfers

  • Ensure transfers comply with GDPR, DPDPA, and other regulations (Standard Contractual Clauses, Binding Corporate Rules).
  • Store customer data in India per DPDPA localization mandates, unless explicit consent is obtained.
  • Conduct transfer impact assessments for cross-border data flows.
  • Use encrypted channels and contractual safeguards for transfers.
  • Review transfer compliance annually with DPO oversight.

10. Training and Awareness

10.1 Mandatory Training

  • Annual training for all employees, contractors, and vendors, with onboarding sessions within 7 days of hire.
  • Content — Data classification, handling, security best practices, retention schedules, secure disposal, data subject rights, consent management, breach notification, and regulatory requirements (GDPR, DPDPA, ISO 27001).
  • Delivery — Online portal with interactive modules, quizzes, and case studies.
  • Certification — Completion certificates required, tracked by HR.

10.2 Role-Specific Training

  • IT Staff — Encryption, DLP, backup, and recovery processes.
  • Customer Support — Handling data subject requests and customer privacy inquiries.
  • Developers — Secure coding and data protection by design.
  • Management — Approving data-sharing agreements and overseeing compliance.
  • Frequency — Semi-annual sessions, supplemented by annual refreshers.

10.3 Awareness Campaigns

  • Monthly campaigns via newsletters, posters, videos, and workshops.
  • Topics — Data minimization, secure handling, breach risks, consent management, data subject rights.
  • Use CERT-In, CSIRT-Fin advisories, and real-world examples to highlight risks.
  • Host quarterly town halls to discuss data privacy updates and gather feedback.
  • Track participation and feedback to assess effectiveness.

10.4 Third-Party Training

  • Vendors handling data must complete annual data management and privacy training.
  • Training covers Alphawave's policies, regulatory obligations, and incident reporting.
  • Require vendors to submit training completion certificates during audits.
  • Suspend vendor data access until training is completed.

11. Compliance and Auditing

11.1 Regulatory Compliance

  • Align practices with ISO 27001, GDPR, CCPA, DPDPA, and CERT-In requirements.
  • Comply with data localization mandates, storing customer data in India per DPDPA.
  • Meet regulatory reporting timelines (6 hours for CERT-In, 72 hours for GDPR).
  • Maintain a compliance register documenting data policies, audits, and regulatory communications.

11.2 Data Audits

  • Annual audits by internal teams and CERT-In empaneled auditors, with quarterly internal reviews.
  • Verify data inventory, classification, and retention compliance.
  • Assess security controls — encryption, DLP, access restrictions.
  • Review data subject request handling and breach notification processes.
  • Evaluate training completion and third-party compliance.
  • Use Data Governance and SIEM tools to generate audit reports.
  • Conduct PIAs and Vulnerability Assessments annually to test data controls.
  • Address critical findings within 30 days, non-critical within 90 days.

11.3 Incident Reporting and Response

  • Report data-related incidents (breaches, unauthorized access) within 1 hour via the incident reporting portal.
  • SOC Team escalates to the IRT, Compliance Officer, and DPO.
  • Isolate affected data/systems, mitigate risks, and notify stakeholders.
  • Follow Incident Management Policy procedures for containment and recovery.
  • Conduct root cause analysis and update data controls.
  • Document lessons learned and integrate into training.

12. Enforcement and Penalties

  • Violations — Examples include unauthorized data access, failure to follow retention schedules, or neglecting data subject rights.
  • Employees / Contractors — Verbal warnings, written warnings, suspension, termination, or legal action.
  • Vendors — Suspension of data access, contract termination, or financial penalties per SLAs.
  • Reporting — Personnel must report violations within 1 hour to avoid penalties.
  • Consequences — Non-compliance may lead to regulatory fines, reputational damage, or financial losses.
  • Investigation — Compliance Officer and DPO lead investigations with HR and IT support; actions determined per HR, legal, and regulatory policies.
  • Appeals — Employees may appeal disciplinary actions through HR within 7 days.

13. Policy Review and Updates

  • Review the policy annually or upon regulatory changes (DPDPA, GDPR updates), significant incidents (major data breaches), or technological updates (new data systems, cloud migrations).
  • Engage the Compliance Officer, DPO, IT Recovery Lead, and BCP Coordinator in reviews.
  • Solicit feedback from employees, vendors, and auditors to identify gaps.
  • Approve changes via the Compliance Officer and senior management.
  • Distribute updates via email, training sessions, and the employee portal; require acknowledgment from all personnel.
  • Maintain a version control log with change details, approvers, and implementation dates.

Privacy Requests

privacy@mitigata.com

Customer Support

care@mitigata.com

Grievance Officer

ankit.m@mitigata.com

Registered Office

Second Floor, Gayathri Mansion, 80/3, Outer Ring Rd, Bellandur, Bengaluru, Karnataka 560103

Mitigata Insurance Brokers Pvt. Ltd.

A subsidiary of Alphawave Technologies Private Limited

IRDAI Registration No.: IRDAI/INT/BRK/DB 1115/2024CIN: U66220KA2024PTC186580