1. Purpose

The TactTree is committed to protecting the confidentiality, integrity, and availability of information assets. This policy establishes the framework for safeguarding client data, personal information, and internal systems against unauthorized access, misuse, or loss.

2. Scope

This policy applies to all employees, contractors, systems, and processes involved in handling company and client data across all locations in India.

3. Objectives

• Protect sensitive and personal data from unauthorized access or disclosure
• Ensure integrity and accuracy of data used in lead generation and data services
• Maintain availability of systems and data for business operations
• Comply with applicable laws including the Digital Personal Data Protection Act, 2023
• Align with industry best practices such as ISO 27001

4. Information Security Principles

• Confidentiality: Access to data is restricted to authorized personnel only
• Integrity: Data is accurate, complete, and protected from unauthorized modification
• Availability: Systems and data are accessible when required for business operations

5. Data Classification & Handling

Information is classified into categories such as:

• Public
• Internal
• Confidential (includes client data, lead databases, and personal information)

Handling requirements:

• Confidential data must be encrypted and access-controlled
• Data sharing must follow approved processes and authorization
• Personal data must be processed only for legitimate business purposes

6. Access Control

• Role-based access control (RBAC) enforced across systems
• Least privilege principle applied
• Strong password policies and multi-factor authentication (where applicable)
• Access rights reviewed periodically

7. Data Protection & Privacy

• Personal data is collected and processed only for defined business purposes
• Data minimization principles are followed
• Data sharing with third parties is governed by agreements and confidentiality clauses
• Compliance with the Digital Personal Data Protection Act, 2023 is ensured

8. IT Infrastructure & Security Controls

• Firewalls, antivirus, and endpoint protection tools deployed
• Regular patching and system updates
• Encryption of data in transit and, where applicable, at rest

9. Acceptable Use

• Company systems must be used for authorized business purposes only
• Unauthorized software installation or data transfer is prohibited
• Employees must not share credentials or access rights

10. Incident Management

• Security incidents must be reported immediately to designated personnel
• Incidents are logged, investigated, and resolved promptly
• Corrective actions are implemented to prevent recurrence

11. Backup & Business Continuity

• Regular data backups are maintained
• Backup data is securely stored and periodically tested
• Business continuity measures are in place to ensure service availability

12. Training & Awareness

• Employees receive regular training on information security and data protection
• Awareness programs are conducted to reduce risks such as phishing and social engineering

13. Monitoring & Compliance

• Systems and access logs are monitored where appropriate
• Periodic internal reviews of security controls are conducted
• Non-compliance may result in disciplinary action

14. Continuous Improvement

The TactTree is committed to continuously improving its information security practices and evaluating certification readiness for standards such as ISO 27001.

15. Policy Review

This policy will be reviewed at least annually or upon significant changes in business operations or regulatory requirements.