Last Updated: February 20, 2025
These Information Security Standards ("Information Security Standards") describe the technical and organizational measures implemented by UnleashX to ensure an appropriate level of security for its Services in accordance with Indian information security requirements including the Information Technology Act, 2000, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws and regulations. The Information Security Standards are incorporated into and form a part of the agreement between the organization agreeing to them ("Customer") and UnleashX Labs ("UnleashX.AI") (Customer and UnleashX.AI each, a "party" and collectively, the "parties") governing the use of UnleashX.AI's products and services (the "Service Terms") as set forth in one or more order forms, online purchase confirmations, or other ordering documents entered into by the parties (each, an "Order Form"). Notwithstanding anything to the contrary, these Information Security Standards shall take effect only if and when they are explicitly incorporated by reference into the Service Terms or an Order Form duly executed by the parties. In the event that the requirement in the preceding sentence is not met, then the terms and conditions set forth in these Information Security Standards shall not apply and shall not have binding effect on the parties. Any capitalized term used but not defined in these Information Security Standards has the meaning set forth (for such capitalized term or its substantive equivalent) in the Service Terms. In the event of a conflict between these Information Security Standards and the Service Terms, these Information Security Standards will apply.
ACCESS CONTROLS
Control Measures
UnleashX has implemented reasonable system access controls and physical access controls designed to limit access based on authorization and prevent personnel and others who should not have access from obtaining access to UnleashX systems housing Customer Data.
System Access Controls
UnleashX's system access control measures include the following:
restricting unauthorized users from accessing information not needed for their roles through role-based user access, and using "least privileged" principles;
unique user accounts identifiable to individual users, password requirements, and two-factor authentication;
provisioning and removal of employee access to Customer Data when access is no longer required; and
periodic access reviews to ensure that only UnleashX personnel who still require access to Customer Data have such access.
Physical Access Controls
UnleashX utilizes cloud hosting infrastructure provided by reputable cloud service providers in India for the Services. All physical security controls are managed by the cloud hosting provider. Quarterly, UnleashX reviews the applicable security and compliance reports of its cloud hosting provider to ensure appropriate physical security controls, which include:
use of data centers located in India with physical and environmental controls appropriate to the risk for Customer Data and for the equipment, assets, or facilities used to hold and process such Customer Data (e.g., use of key card access controls and security guard monitoring); and
use of data centers with 24/7 security protection, automatic fire detection and suppression, fully redundant power systems, and other reasonable environmental controls.
OPERATIONS MANAGEMENT AND NETWORK SECURITY
UnleashX establishes and maintains reasonable operations management and network security measures, including:
network segmentation based on the label or classification level of the information stored;
protection of servers and web applications using restrictive firewalls;
regular review, testing, and installation of security updates and patches to servers; and
implementation of intrusion prevention systems and security information and event management (SIEM) solutions.
CHANGE MANAGEMENT
Change and Release Management
UnleashX maintains a formal change and release management policy and procedure for software, system, and configuration changes. Such policies and procedures include:
a process for testing and approving promotion of changes into production;
a process for performing security assessments of changes into production; and
maintaining proper documentation of all changes as required by Indian regulations.
Secure Application Development
UnleashX follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10 and guidelines recommended by CERT-In (Indian Computer Emergency Response Team).
Development Training
UnleashX.AI provides secure code development training based on role for secure application development, configuration, testing, and deployment. All development personnel undergo regular training on secure coding practices and awareness of Indian data protection requirements.
DATA ENCRYPTION AND DELETION
UnleashX.AI establishes and maintains reasonable data encryption and deletion practices, including:
encryption of Customer Data while at rest using industry best practice encryption standards and methods that comply with requirements set forth by CERT-In;
encryption of Customer Data while in transit using industry standard encryption methods designed to encrypt communications between its server(s) and customer browser(s);
use of cryptographic controls and approved algorithms for information protection within the service environment based on UnleashX's company policies and standards;
encryption of employee workstations with full disk encryption, strong passwords, and screen lockout; and
maintenance of policies and procedures regarding the deletion of Customer Data in accordance with applicable Indian laws and guidelines from the Ministry of Electronics and Information Technology (MeitY).
SUB-PROCESSORS
UnleashX uses certain sub-processors to assist UnleashX in providing the Services. Prior to engaging any sub-processor who has access to, potentially will have access to, or processes Customer Data, UnleashX conducts an assessment of the security and privacy practices of the sub-processor to ensure they are commensurate with the level of data access the sub-processor will have and the scope of the services it will provide. UnleashX then enters into a written agreement with the sub-processor containing privacy, data protection, and data security obligations that ensure a level of protection appropriate to the sub-processor's processing activities and in compliance with Indian regulations. UnleashX performs quarterly reviews of its sub-processors to ensure that compliance and security standards are maintained and material changes to processes are reviewed. All sub-processors handling sensitive personal data are required to maintain appropriate security measures as prescribed under Indian law.
SYSTEM MONITORING AND VULNERABILITY MANAGEMENT
UnleashX regularly monitors its production environment for unauthorized intrusions, vulnerabilities, and the like. UnleashX's system monitoring measures include the following:
use of intrusion detection methods to prevent and identify potential security attacks from users outside the boundaries of the system;
performance of automated application and infrastructure vulnerability scans to identify vulnerabilities, classification of vulnerabilities using industry standards, and remediation of vulnerabilities based on severity level;
quarterly third-party penetration testing (an executive summary can be provided upon request);
quarterly risk assessments and continuous monitoring of UnleashX's risk register;
periodic third-party security audits, such as ISO 27001 audits;
monitoring, logging, and reporting on critical or suspicious activities with regard to network devices, including retention of logs for forensic-related analysis, maintenance of audit logs that record and examine activity within UnleashX's production environment, back-up of logs in real-time, and implementation of controls to prevent modification or tampering of logs;
operation of a "bug bounty" program to identify potential security vulnerabilities;
deployment of anti-virus and malware tools to detect and remediate harmful code or programs that can negatively impact the Services; and
collaboration with CERT-In for threat intelligence and responding to security advisories.
PERSONNEL CONTROLS
UnleashX uses reasonable efforts to ensure the continued reliability of UnleashX employees who have access to Customer Data by implementing the following measures:
conducting background checks, subject to applicable Indian laws, on all employees who may access Customer Data;
requiring employees to complete new-hire security training and acknowledge UnleashX's information security policies, including but not limited to UnleashX's Code of Conduct and Acceptable Use of Technology Resources Policy, upon hire;
requiring employees to complete quarterly privacy and security training covering topics that address their obligations to protect Customer Data as well as privacy and security best practices in accordance with Indian regulatory requirements;
instructing employees to report potential personal data breaches to the Security team as well as to the designated Data Protection Officer; and
imposing discipline for material violations of UnleashX's information security policies.
BACKUPS, BUSINESS CONTINUITY, AND DISASTER RECOVERY
Backups
UnleashX maintains a policy and procedure for performing backups of Customer Data. All backup data is stored within India and subject to the same security controls as primary data.
Business Continuity Program
UnleashX maintains a reasonable business continuity program, including a disaster recovery plan, designed to minimize disruption to the Services. The plans are tested quarterly and the process is amended, as needed. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) are established in accordance with the requirements of the Department of Telecommunications and CERT-In guidelines.
CERTIFICATION AUDIT REVIEW
Upon Customer's written request (email to suffice), UnleashX will provide to Customer for review a copy of UnleashX's most recent annual ISO 27001 certificate and audit results, along with documentation demonstrating compliance with applicable Indian regulations including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
DATA LOCALIZATION AND CROSS-BORDER TRANSFERS
UnleashX ensures that all Customer Data, particularly sensitive personal data or information as defined under Indian law, is stored and processed on servers physically located within India. Any cross-border transfer of data, if required, shall only be conducted with the explicit consent of the Customer and in accordance with applicable Indian laws and regulations.
SECURITY INCIDENT MANAGEMENT
UnleashX maintains a comprehensive security incident management process that includes:
documented procedures for identifying, reporting, managing, and resolving security incidents;
notification to Customers of security incidents that impact their data within 24 hours of discovery;
reporting of cyber security incidents to CERT-In within the timeframes prescribed by Indian regulations;
maintaining detailed logs of all security incidents for a minimum period of 5 years; and
conducting post-incident reviews to implement process improvements.
COMPLIANCE WITH INDIAN REGULATIONS
UnleashX has appointed a Data Protection Officer responsible for ensuring compliance with Indian data protection laws. Additionally, UnleashX conducts periodic compliance assessments to ensure adherence to:
Information Technology Act, 2000 and its amendments;
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
Guidelines issued by CERT-In and other relevant government agencies;
Applicable sector-specific regulations (if any); and
Digital Personal Data Protection Act (upon enforcement).
MODIFICATIONS
Notwithstanding anything to the contrary in the Service Terms, UnleashX may modify or update these Information Security Standards from time to time, and so Customer should review this page periodically. In such cases, UnleashX will update the 'Last Updated' date at the top of this page. If the changes would materially reduce the level of security provided under these Information Security Standards, UnleashX will provide Customer with email notice of the changes at least thirty (30) days before they go into effect. Customer's continued use of the Services after any change to these Information Security Standards becomes effective constitutes Customer's acceptance of the new Information Security Standards. If Customer does not agree to any part of these Information Security Standards or any future Information Security Standards, Customer should not use or access (or continue to use or access) the Services. Any changes to these Information Security Standards will be made in compliance with applicable Indian laws and regulations.