Data Storage Policy

Data Storage Policy

Homfinity recognizes the critical importance of data storage in ensuring the security, integrity, and availability of its information assets. This Data Storage Policy outlines the guidelines and procedures for the secure storage, retention, and disposal of data throughout its lifecycle.

1.1 Data Classification

  • All data shall be classified based on its sensitivity, criticality, and regulatory requirements.
  • Data classification levels include Confidential, Restricted, Internal, and Public.
  • The classification level determines the appropriate level of security controls and access restrictions applied to the data.

1.2 Data Storage Locations

  • Homfinity Enterprises using AWS cloud servers based in India to store all its data. 

1.3 Data Encryption

  • Confidential and Restricted data shall be encrypted at rest and in transit using industry-standard encryption algorithms.
  • Encryption keys shall be securely managed and stored separately from the encrypted data.
  • Encryption shall be applied to data stored on servers, databases, backup media, and portable devices.

1.4 KYC Data:

  1. Collected as required by law and only to the extent necessary for processing loans.
  2. Processed following stringent security measures to ensure data protection.
  3. Securely purged from our systems once processing is complete, following the defined
  4. Data retention schedule, which includes:
    1. Verification that processing is complete.
    2. Secure deletion using industry-standard data erasure techniques.
    3. Documentation of the data deletion for compliance and auditing purposes.

1.5 Access Control

Homfinity employs a robust two-fold approach to manage security permissions and access controls across its applications, ensuring data protection at both the API and UI levels:

  1. Data Visibility Access Control: 
    1. Data visibility access controls govern the level of data that users can access based on their roles and responsibilities.
    2. Access to sensitive data is restricted to authorized personnel only, following the principle of least privilege.
    3. Data classification levels (Confidential, Restricted, Internal, and Public) determine the granularity of access controls applied to each data set.
    4. Role-based access control (RBAC) is implemented to ensure that users can only view and interact with data relevant to their job functions.
    5. Regular reviews and audits of data visibility access controls are conducted to maintain the integrity and confidentiality of stored data.
  2. User Operations Controls: 
    1. User operations controls govern the actions a user can perform on the data they have access to, based on their assigned permissions.
    2. Granular permissions are defined for each user role, specifying allowed operations such as view, create, update, or delete.
    3. Segregation of duties is enforced to prevent unauthorized modifications and maintain the integrity of data.
    4. Privileged operations, such as bulk data exports or system configuration changes, require additional approvals and are closely monitored.
    5. Access logs and audit trails are maintained to track user activities and detect any suspicious or unauthorized operations.
    6. Multi-factor authentication is implemented for critical operations to provide an additional layer of security.

1.6 Data Backup and Retention

  • Regular data backups shall be performed to ensure the recoverability of data in case of incidents or disasters.
  • Backup frequency and retention periods shall be determined based on the criticality of the data and regulatory requirements.
  • Backups shall be stored in secure, geographically dispersed locations to mitigate the risk of data loss.

1.7 Data Disposal

  • Data that has reached the end of its retention period or is no longer required shall be securely disposed of.
  • Disposal methods, such as secure deletion, overwriting, or physical destruction, shall be used based on the sensitivity of the data.
  • A record of data disposal activities shall be maintained for audit and compliance purposes.

1.8 Third-Party Data Storage

  • When using AWS Servers or any other service provider’s Servers for data storage due diligence shall be conducted to ensure that their security practices align with Homfinity's requirements.
  • Contractual agreements with AWS or any other third parties shall include provisions for data confidentiality, security, and audit rights.
  • Regular monitoring and audits shall be conducted to ensure that AWS and/or other third parties adhere to the agreed-upon security standards.

1.9 Incident Notification: 

Homfinity employees / Agents / consultants shall promptly report of any data breaches, security incidents, or unauthorized access to Homfinity's data.

1.10 Vendor Management

Homfinity recognizes the importance of ensuring that its vendors and third-party service providers adhere to stringent data storage and security standards. To mitigate risks associated with vendor access to sensitive data, the following vendor management practices shall be implemented:

  1. Due Diligence: Prior to engaging with a vendor, a thorough due diligence process shall be conducted to assess their data storage practices, security controls, and compliance with relevant regulations and industry standards.
  2. Contractual Agreements: Contractual agreements with vendors shall include clear provisions regarding data storage, confidentiality, security responsibilities, and audit rights. The agreements shall specify the vendor's obligations to protect Homfinity's data and the consequences of any breaches or non-compliance.
  3. Access Control: Vendor access to Homfinity's data shall be restricted based on the principle of least privilege. Vendor personnel shall only be granted access to the specific data required to perform their contracted services. Access rights shall be regularly reviewed and revoked upon contract termination.
  4. Security Requirements: Vendors shall be required to implement and maintain robust security controls, including encryption, access controls, and monitoring, to protect Homfinity's data stored within their systems. 
  5. Data Localization: Vendors shall be required to store and process Homfinity's data within the specified geographic boundaries, in compliance with applicable data localization regulations.
  6. Monitoring and Audits: Homfinity shall conduct regular monitoring and audits of its vendors' data storage practices to ensure ongoing compliance with the agreed-upon security standards. Vendors shall cooperate with these audits and promptly address any identified vulnerabilities or non-conformances.
  7. Incident Notification: Vendors shall be contractually obligated to notify Homfinity promptly in the event of any data breaches, security incidents, or unauthorized access to Homfinity's data.
  8. Termination and Data Retrieval: Upon termination of the vendor contract, Homfinity shall ensure that all its data is securely retrieved from the vendor's systems and any remaining copies are securely destroyed. The vendor shall provide written confirmation of data deletion.

1.11 Compliance and Audit

  • Data storage practices shall comply with relevant laws, regulations, and industry standards, such as the Personal Data Protection Bill and RBI guidelines.
  • Regular internal and external audits shall be conducted to assess the effectiveness of data storage controls and identify areas for improvement.
  • Audit findings and recommendations shall be addressed in a timely manner to maintain the security and integrity of stored data.

2 Employee Training and Awareness

  • Homfinity plan to provide all employees a regular training on data storage policies, procedures, and best practices.
  • Awareness programs shall be conducted to educate employees about their responsibilities in handling and protecting stored data.

By adhering to this Data Storage Policy, Homfinity aims to safeguard its valuable data assets, maintain the trust of its customers and stakeholders, and ensure compliance with legal and regulatory requirements.