Data Security and Data Governance

In order to provide the key EWA service, RUPID TECHNOLOGY LABS PRIVATE LIMITED (hereinafter referred to as “Rupid”) stores processes and stores customer data in hosted environment secured within Virtual Private Cloud setup on Public Cloud viz Amazon AWS. Certain data points like email, phone number, address, age, gender, bank account number, PAN are collected in order to comply with the regulatory mandates. While some of these data points are required to validate the authenticity of the users, rest others are required for KYC setup as per the RBI guidelines.

Information and Data Classification

• Rupid shall define information classifications based on the sensitivity, criticality, confidentiality, privacy requirements and value of the information.
• All information generated by or for Rupid in writing, electronic or any other form shall be classified based on the four level classifications i.e. Highly Confidential, Confidential, Internal, Public.

1. • Highly Confidential – User private data (MySQL)

1. • Confidential – Client contracts, employee contracts, financials (MySQL)

1. • Internal – Business Metrics, Process SOP

1. • Public – Organisation Structure, Privacy Policies

• For all existing information types, the assigned owner shall be responsible for choosing an appropriate information classification level in accordance with Rupid’s business requirements.
• When the various sensitivity classifications of information are combined, the resulting collection of information shall be classified at the most restricted level among the sources.
• All Rupid employees shall comply with the defined information classification scheme.

Data Strategy Overview:

Building and driving businesses using data is of utmost necessity for every organisation. Building a Data strategy around the organisation will not only help to develop informed and mature data culture within the organisation, it will lead to intelligent decision making, better product and will help to serve clients and end users better. The important touch points are as follows:

1. Asking and addressing the key Business Questions/Use cases to obtain the clear and quantifiable impact on the results.
   • Does it make a significant impact in the outcome ?
   • Does it remove redundancy ? (No same report or data for two teams – Reusability)
   • Assess the Business Criticality / Priority.
2. Creating the technology and Data Infrastructure:
   • Defining, developing proper Sourcing, Collecting, Transforming and Processing the Data. Maintain a centralised Data Repository/DWH for the processing/analysing the Data generated/stored internally and externally.
3. To develop a detailed Data Strategy roadmap for Rupid on the front of Data Engineering, Analytics and Science and track Data Maturity progression.
4. Defining and Implementing the right Data Governance.

Data Governance:

Ensuring the data doesn’t become a Liability: Data Governance

Businesses are collecting and analysing ever increasing amounts of data and trying to make better decisions, run their operations more efficiently and targeting for more profitability in the days to come. There are significant hurdles around data ownership, privacy and security to overcome, ignoring which can turn data from being a huge asset to a potentially liability. As regulations are being introduced to tighten up how companies collect, store and use data. Proper consideration of these issues comes under the umbrella of ‘Data Governance’.

Many businesses do brilliant things using third party data and the wealth of data providers can be beneficial to companies to an extent. However, in the case of Rupid, it is very important to own any data points trusted on us by our end users, clients and LMS/Banking partners.

Wherever possible we own the data that is crucial to Rupid’s operations, revenue and critical decision making processes. It is easy enough for the internal data but it is admittedly less straightforward with the external data. To ensure the correct access is in place for the users as and when needed for the access control and defining the Metadata/Logs for the information/data collected from/transferred to third parties/end users/clients/lms or banking partners/internal stakeholders.

It is to ascertain data access(es) is/are provided to responsible individuals as per the business need and make them aware regarding its fair usage for the purpose of business operation/analytics/processing only.

When we’re talking about ‘big’ data, there is a great value in a ‘less is more’ approach. Sitting on vast amounts of un-utilised data is not only an expensive approach, it is also tedious to store and process/analyse them in an attempt to extract means without a purpose.

Addressing Privacy concerns

At Rupid we always have to be mindful/cognizant of these user Rights and take steps according to as/when/how/what consent the end users are providing/revoking/updating.

Also to make sure the full disclosure to the user is given in the mode of the Terms and Conditions, Publicly available Privacy Policy and timely ad hoc consents obtained by the users via OTP/Email/Voice Call Notification/CTA on app/Pop ups as and when required.

Rupid also has to ensure and draw up SOPs in case the user revokes any of the consents, the Data of the user to be processed/not-processed/erased accordingly.

The privacy policy of Rupid is detailed here.

Practising and Implementing Good Data Governance:

Data Governance refers to the overall management and caretaking of data, covering its usability, integrity and security. Rupid is cognizant of the moral and the legal requirements and regulations concerning every step of our data operations and have firm policies and procedures in place to govern every step. It goes beyond data security, ownership and privacy; it extends to having policies in place to determine exactly who has access to data, and who is responsible for maintaining the quality and accuracy of that data. A big part of enforcing this relies on building the informed and correct data culture within the organisation.

From time to time these best practices need to be conveyed (KT sessions) to the stakeholders including the Tech / Product (B2B & B2C) / Sales & Operations / Implementations / Customer Experience / Client engagements / Marketing etc to educate/remind them about its Benefits and Shortcomings if missed otherwise.

Data Retention and Purging Policies

Rupid has detailed retention and purging policies to ensure compliance with any change in statute / law; or changes in the policies and procedures of the company; or process improvements; or correct any errors or omissions in the manual; or potential or ongoing Litigation/ Preservation notice or any other reason that necessitates such deviation.

The data retention strategies are as per the Indian laws (Companies Act, 1956 / Companies Act, 2013, Depository Act, Others- Including Income & Other taxes). Rupid takes cognisance of alignment with SEBI (Listing Obligation and Disclosure Requirements) Regulations, 2015, Prevention of Money Laundering Act and rules made there under read with RBI circulars in respect thereof shall be preserved and maintained for a period of five years from the date of its event, unless specified under the any other Act or Rules, for longer duration.