Kepto Fintech Pvt. Ltd.

1. Introduction

This Data Security & Compliance Policy outlines the principles, procedures, and controls adopted by Kepto Fintech Pvt. Ltd. (“Company”, “We”, “Our”) to ensure the confidentiality, integrity, and availability of all customer, partner, merchant, and system data processed through our platforms.

The policy adheres to:

• Information Technology Act, 2000
• RBI Cyber Security Framework & Digital Payment Security Controls
• NPCI BBPS Security Standards
• ISO 27001 Information Security Guidelines (best practices)
• CERT-In security advisories
• Data Protection Bill, 2023 (India)
• Industry-standard encryption & privacy frameworks

This document affirms our commitment to maintaining a secure, compliant, and trustworthy digital environment.

2. Purpose

The purpose of this policy is to:
- Protect sensitive and financial data from unauthorized access or misuse
- Ensure compliance with applicable laws and regulatory directives
- Establish robust security practices for data storage, management, and transmission
- Provide guidelines for internal staff, partners, vendors, and customers
- Maintain high standards of cybersecurity and risk mitigation

3. Scope

This policy applies to:
- All systems, servers, platforms, and networks owned or operated by Kepto Fintech
- All employees, contractors, vendors, and third-party partners
- Customers, merchants, and API integrators
- BBPS operations, CRM systems, payment solutions, and invoicing software
- All data stored, processed, or transmitted through our technology infrastructure

4. Data Classification

Kepto Fintech classifies data into the following categories:

5. Data Collection & Usage

We collect only data that is essential for providing fintech services including:
- Customer verification (KYC)
- Bill payments, settlements & receipts via BBPS
- API-based merchant payments
- Invoicing and CRM operations
- Compliance & audit obligations
- Fraud detection and risk monitoring

No unnecessary or excessive data is collected.

6. Data Storage & Encryption

To ensure maximum protection:
- All sensitive data is encrypted in transit (TLS 1.2/1.3) and at rest (AES-256)
- Passwords and sensitive credentials are hashed using industry-standard hashing algorithms
- Databases are hosted in secure Tier-3 & Tier-4 compliant data centers
- Access to production data is strictly controlled and audited
- We do not store full card data, CVV, or other prohibited financial information (PCI-DSS compliance).

7. Access Control & Authorization

Access is granted based on the principle of Least Privilege (PoLP).
- Role-based access control (RBAC)
- Multi-factor authentication for internal systems
- Periodic access review & revocation
- Audit logging for every access attempt
- VPN enforcement for administrative tasks

Unauthorized access attempts are automatically flagged and blocked.

8. Network & Application Security

Kepto Fintech follows multi-layered cyber defense practices:
- Firewalls, WAF (Web Application Firewall), and IDS/IPS
- Regular VAPT (Vulnerability Assessment & Penetration Testing)
- Continuous monitoring for threats and anomalies
- Secure coding practices (OWASP Top 10 standards)
- Malware, ransomware & phishing protection
- Data loss prevention systems (DLP)

9. Third-Party & Vendor Compliance

All third-party service providers (payment gateways, hosting partners, API vendors) must adhere to applicable Indian cybersecurity regulations, NPCI/RBI security norms, and contractual confidentiality requirements. Vendors failing to meet compliance standards may be terminated immediately.

10. Incident Response & Breach Handling

Kepto Fintech maintains a structured Incident Response Plan (IRP).

11. Data Retention & Deletion

In accordance with PMLA & RBI guidelines:
- KYC data is retained for minimum 5 years
- Transaction logs (BBPS, CRM, APIs) are retained as per regulatory norms
- Users may request deletion of non-regulatory data
- Secure deletion protocols ensure irreversible removal

12. Employee Training & Security Awareness

All employees receive mandatory training on Cybersecurity best practices, Fraud identification, KYC/AML/CFT regulations, Data handling standards, and Privacy obligations. Periodic assessments ensure adherence.

13. Compliance & Regulatory Obligations

Kepto Fintech is committed to full compliance with:
- RBI Master Directions on KYC & Digital Payments
- NPCI BBPS Guidelines
- Data Protection Bill, 2023
- PMLA and FIU-IND reporting norms
- IT Act, 2000 and CERT-In directives

We conduct periodic internal and external audits to ensure adherence.

14. User Responsibilities

Users and merchants must:
- Provide accurate and valid information
- Not misuse the platform for fraud or unauthorized access
- Maintain confidentiality of login credentials
- Report suspicious activity immediately

15. Policy Review & Update

This policy is reviewed annually or when new regulatory norms are introduced. Revised versions will be updated on the company website.

16. Contact & Escalation

For any data security or compliance-related concerns:

Kepto Fintech Pvt. Ltd.
501, Business Bay Tower, Andheri East, Mumbai – 400059 Maharashtra, India
Email: compliance@keptofintech.com
Phone: 6377605341

Email : compliance@keptofintech.com
Website : www.keptofintech.com