ISP1 - Information Security Policy

Updated by Admin on 2nd December 2025

Introduction

Apptimus Tech Private Limited (referred to as "Apptimus") understands the critical need to protect its information assets in an increasingly digital landscape. As a provider of innovative software products and specialized product development services, we're committed to safeguarding the integrity, confidentiality, and availability of data across all operations. This Information Security Policy outlines our approach to information security, ensuring the protection of client, employee, and stakeholder interests, while aligning with industry best practices, legal obligations, and evolving technological trends.

Scope

This policy applies to all employees, contractors, freelancers, third parties, and all departments within Apptimus. 

Information Security Policy Statement

Apptimus Tech Private Limited is committed to protecting the confidentiality, integrity, and availability of all information assets, including client data, intellectual property, and internal operational data. We achieve this through the continuous implementation and improvement of an Information Security Management System (ISMS) that aligns with ISO/IEC 27001:2022 and relevant legal, regulatory, and contractual requirements. All employees, contractors, and third parties are responsible for upholding this policy and contributing to a secure information environment.

Information Security Objectives

Apptimus has tailored its information security objectives to align with its core services. These objectives ensure that the organization meets the expectations of its clients while maintaining a secure operational environment.

  • Ensure the security by design and default of Apptimus's proprietary products throughout their lifecycle. 
  • Establish a robust incident response framework to manage and report any security incidents affecting client systems or data. 
  • Integrate secure development practices throughout the software development lifecycle to minimize vulnerabilities in client deliverables. 
  • Conduct regular security testing, including static and dynamic analysis, to validate the security posture of developed applications and systems. 
  • Ensure compliance with all applicable legal, regulatory, and contractual obligations related to information security. 
  • Promote a strong security-aware culture across the organization through continuous training and communication. 

Governance and Responsibilities

Apptimus has established clear roles and associated responsibilities to support the effective governance of information security and ensure alignment of the ISMS with organizational objectives.


These roles include oversight by senior leadership, implementation and compliance at departmental levels, and active participation from all employees and contractors in maintaining a secure environment.

Risk Management Framework

Apptimus follows a structured approach to managing information security risks through identification, assessment, mitigation, and ongoing monitoring:

  • Regular assessments are conducted to identify potential threats and vulnerabilities, evaluating their likelihood and impact to prioritize risks effectively. 
  • Identified risks are addressed with appropriate controls—such as technical, administrative, or physical measures—to mitigate, transfer, accept, or avoid them, based on a cost-benefit analysis and organizational risk tolerance. 
  • Risks and controls are continuously monitored, with the risk register updated regularly to reflect changes in the risk landscape and ensure the framework remains effective.


The framework is designed to adapt to changes in internal and external contexts, such as technological advancements, evolving regulatory requirements, and organizational growth.


Apptimus incorporates all relevant controls required by the ISO/IEC 27001:2022 framework as identified through risk assessment.

Information Security Controls and Practices

Human Resource Security  

Human resource security is integral to mitigating information security risks associated with personnel at every stage of the employment lifecycle. Apptimus conducts rigorous background checks for all prospective employees and contractors, including verification of identity, qualifications, and professional references. Employment contracts explicitly outline information security responsibilities, emphasizing confidentiality and compliance with organizational policies. Background checks will be conducted in compliance with all applicable local laws and regulations regarding privacy and data protection.


All employees are assigned clear roles and responsibilities to ensure accountability. Mandatory security training programs are conducted regularly, covering topics such as data protection, secure work practices, and recognizing potential security threats. Regular refresher courses reinforce awareness and adapt to evolving challenges. Additionally, specialized security training is provided to personnel with elevated access privileges or security-critical roles. Compliance with security protocols is integrated into performance reviews.


A comprehensive offboarding process is implemented to prevent security risks from departing personnel. This includes immediate revocation of access to systems, networks, and premises, along with the recovery or secure disposal of company assets. Non-disclosure agreements (NDAs) are reiterated to ensure information protection even after employment ends. 


Secure Development Practices 

Secure development practices are embedded in all Apptimus and client-related software and system lifecycles to safeguard operational and client data integrity. Security requirements are defined early in the design phase, with threat modeling and security checkpoints at each stage of development. Comprehensive code reviews, combining automated static and dynamic analysis tools with manual peer reviews, ensure robust security.


Security testing, and penetration testing, identifies and remediates vulnerabilities before deployment. Data segregation policies ensure sensitive information is handled securely through measures like access control, encryption, and monitoring. This includes evaluating the security posture of third-party libraries and components used in development.


Secure coding practices are embedded in the development lifecycle to prevent vulnerabilities. Developers receive training on secure coding standards. Code reviews and automated tools ensure adherence to security guidelines. Security is prioritized in all software deliverables to protect client and organizational data.  


Information Security in Project Management 

Security considerations are integrated into project management from initiation to closure. Risks are assessed at each stage, and mitigation strategies implemented. Projects involving sensitive data adhere to strict security protocols, with access restricted based on project roles. 


Data Protection 

Sensitive data, including Personally Identifiable Information (PII), is classified based on sensitivity and criticality into public, internal, confidential, and restricted categories. Encryption protocols safeguard data at rest and in transit, ensuring confidentiality and integrity. Data owners are responsible for ensuring their data is appropriately classified and handled according to its classification.


Critical data, including PII, is regularly backed up, with recovery procedures tested periodically to ensure availability. Retention periods for sensitive data comply with regulatory, legal, and business requirements, with obsolete data securely disposed of through shredding or data wiping. Additional measures are taken to protect PII, such as anonymization or pseudonymization when appropriate, to further mitigate risks.


Access Control 

Access control mechanisms prevent unauthorized access to systems, applications, and data. Robust authentication processes, including multi-factor authentication (MFA), verify user identities. Password management requirements, including complexity, expiration, and reuse restrictions, are outlined in the accompanying password policy table to ensure compliance with security best practices.


Access is granted strictly on a need-to-know basis using role-based access control (RBAC), ensuring employees access only information required for their roles. Periodic reviews of access rights eliminate excessive or outdated privileges, enforcing the principle of least privilege.


All access activities are logged and monitored in real-time, with anomalies flagged and investigated promptly.

  • The minimum password length must be 8 characters.
  • Password complexity must be enabled.
  • Passwords must include at least 1 uppercase letter, 1 lowercase letter, 1 numeric character, and 1 special character.
  • Users will be logged out after 15 minutes of idle session time.
  • Multi-factor authentication (MFA) must be enabled for all user accounts.
  • The minimum password age is 1 day.
  • The maximum password age is 90 days.
  • The password history must retain at least 5 previous passwords.
  • Accounts must lock after 5 consecutive failed login attempts.


Network and Internet Security 

Network infrastructure security is paramount against internal and external threats. Firewalls are regularly updated to address vulnerabilities. Secure communication channels, including virtual private networks (VPNs) and end-to-end encryption, are mandatory for remote access and sensitive communications.


Regular vulnerability assessments and penetration tests strengthen network resilience. Network segmentation isolates sensitive systems and data, reducing the attack surface and enhancing containment. 


Physical and Environmental Security 

Physical facilities and assets are secured against unauthorized access and environmental risks. Sensitive areas are protected through key cards, biometric systems, and monitored visitor access. Continuous CCTV monitoring in critical areas supports investigations, with recordings retained for a defined period.


Fire suppression systems, redundant power supplies, and climate controls mitigate environmental risks. Regular maintenance ensures these systems function optimally. 


Incident Management 

An incident management framework ensures timely detection, response, and recovery from security incidents. Employees and contractors are trained to report incidents promptly through defined channels, supported by an incident hotline and email system.


A detailed incident response plan defines roles, responsibilities, and escalation procedures, covering containment, eradication, and recovery phases. Root cause analysis and lessons learned improve defenses. Significant incidents are reported to regulatory authorities and affected parties within prescribed timelines. 


Business Continuity and Disaster Recovery 

Business continuity and disaster recovery plans (BCPs and DRPs) ensure operational resilience during disruptions. Critical systems are identified through BIAs, prioritizing recovery based on operational impact.


Regular updates to BCPs and DRPs address potential risks. Simulated drills and exercises validate plan effectiveness. Recovery time objectives (RTOs) and recovery point objectives (RPOs) minimize downtime and data loss. 


Third-Party and Cloud Security 

Given Apptimus's global operations and reliance on diverse vendors and cloud providers, robust security measures are critical. Collaborations with vendors and cloud providers include robust security measures. Vendor security practices are assessed, and risks mitigated through detailed evaluations. Contracts define security expectations, including Service Level Agreements (SLAs) and Non-Disclosure Agreements (NDAs).


Vendor compliance is monitored through audits and reviews, with corrective actions for non-compliance. Cloud service providers implement encryption, access control, and regular audits. Data stored in the cloud is protected with the same rigor as on-premises data. 


Legal, Statutory, Regulatory, and Contractual Requirements 

Apptimus identifies and adheres to applicable legal, statutory, regulatory, and contractual requirements, ensuring compliance in operations. Updates to these requirements are monitored, and policies adjusted accordingly. 


Intellectual Property Rights 

Apptimus is committed to protecting its own intellectual property (IP) as well as that of its clients, partners, and other stakeholders.


Apptimus enforces comprehensive measures to safeguard intellectual property rights, including: 

  • All employees, contractors, and third parties are required to sign confidentiality and non-disclosure agreements that clearly define ownership rights and obligations related to intellectual property.
  • Proprietary content, client deliverables, financial models, and internal methodologies are securely stored, classified, and accessible only on a need-to-know basis.
  • Regular training and onboarding programs educate team members on intellectual property obligations, ethical handling of proprietary content, and legal consequences of misuse.
  • All software, templates, and reference materials used within Apptimus must be properly licensed. Unauthorized copying, distribution, or use of third-party IP is strictly prohibited.
  • Any suspected or actual violation of intellectual property rights is subject to investigation, and appropriate disciplinary or legal action will be taken where necessary.


These controls ensure that the intellectual capital developed and entrusted to Apptimus is preserved, reinforcing our reputation for professionalism, integrity, and client confidentiality. 


Endpoint Security 

Apptimus enforces strong endpoint security controls to protect devices that access, store, or process organizational and client information. Endpoints—including laptops, desktops, mobile devices, and remote systems—serve as critical access points to company systems and are safeguarded through a layered and proactive security approach.


Key elements of Apptimus's endpoint security program include: 

  • All company-issued devices are configured with secure baseline settings, including disabling unnecessary services, enforcing strong password policies, and applying encryption to protect data at rest.
  • Approved endpoint protection solutions (e.g., antivirus, anti-malware, and endpoint detection and response tools) are installed, maintained, and updated regularly to detect and respond to known and emerging threats.
  • Security patches and software updates are applied promptly to all devices to address known vulnerabilities and maintain system integrity.
  • Measures are in place to prevent unauthorized copying, transfer, or printing of sensitive data from endpoint devices, including restrictions on external storage media and clipboard access.
  • Additional safeguards are enforced for remote employees, including secure VPN access, device encryption, and clear guidelines on the use of personal devices (BYOD), where permitted. 


All endpoint users are responsible for following security practices and reporting any suspected issues immediately. These controls support Apptimus’s commitment to protecting sensitive information, maintaining operational resilience, and upholding client trust. 


Use of Artificial Intelligence (AI) 

The use of Artificial Intelligence (AI) tools and platforms, including Large Language Models (LLMs), by Apptimus employees, contractors, and third parties is subject to strict security and ethical guidelines to protect Apptimus and client data, intellectual property, and to prevent unauthorized disclosure or misuse.


While leveraging AI offers significant opportunities for automation, insights, and innovation, it also introduces unique information security considerations.


Key elements governing the use of AI include: 

  • Only AI tools and platforms explicitly approved by management are permitted for use with Apptimus and client data. Unapproved tools may pose significant security risks.
  • Sensitive, confidential, or proprietary Apptimus or client data, including PII, intellectual property, source code, or internal business strategies, must not be inputted into public or unapproved AI models or services. Users must verify the data handling and privacy policies of any AI tool before inputting any information.
  • Employees must ensure that the use of AI tools does not lead to the inadvertent disclosure of Apptimus's or clients' intellectual property or confidential information. Any output generated by AI tools using Apptimus data remains the property of Apptimus and must be handled in accordance with this policy.
  • AI-generated content or code should not be considered authoritative without independent verification. Employees are responsible for reviewing and validating any AI-generated output for accuracy, completeness, and absence of vulnerabilities before use or deployment.
  • Regular training will be provided to educate employees on the secure and ethical use of AI tools, including risks associated with data privacy, intellectual property, and potential biases.
  • Apptimus reserves the right to monitor the use of AI tools on company networks and devices to ensure compliance with this policy and to identify and mitigate potential security risks. 


Compliance and Audit 

Compliance measures ensure adherence to legal, regulatory, and contractual obligations. Apptimus remains updated on applicable laws, ensuring operational compliance. Regular internal and external audits evaluate control effectiveness, with findings documented and corrective actions implemented.


Comprehensive records of compliance efforts demonstrate accountability and facilitate external reviews.

Violation of Policy

Non-compliance with this Information Security Policy may lead to various consequences, depending on the nature and severity of the violation. Potential repercussions include:

  • Disciplinary action, including suspension or termination.
  • Civil or criminal prosecution in cases of deliberate breaches.
  • Other corrective measures as deemed necessary by management. 

Policy Review and Revision 

This Information Security Policy is a living document and will undergo regular reviews to ensure its relevance and effectiveness in addressing emerging security risks and compliance requirements. The policy will be formally reviewed at least once annually to assess its alignment with current organizational goals, legal obligations, and technological advancements.


In the event of significant changes such as updates in legal or regulatory requirements, technological developments, or organizational restructuring, the policy will be revised promptly. Updates to the policy will be communicated to all relevant stakeholders through appropriate channels, ensuring that employees, contractors, and third-party service providers are informed of any changes that may affect their roles and responsibilities.

Acknowledgment 

To ensure awareness and adherence to the Information Security Policy, all employees, contractors, and third-party service providers are required to acknowledge receipt and understanding of the policy. This acknowledgment serves as confirmation that they have read, understood, and agree to comply with the guidelines and responsibilities set forth in the policy.


The acknowledgment will be documented and retained as part of the employee’s or service provider’s record. Any individual who fails to acknowledge the policy may be subject to further actions as determined by management, including access restrictions or additional training requirements.