PRIVACY AND SECURITY POLICY
DEFINITIONS
“Client Data” means and includes (i) any proof of compliance such as scanned copies of forms, internal memos, statutory documents, reports, filings, applications, notices, etc. uploaded by you through the Portal (defined below); and (ii) Password .
“Lexplosion” shall mean and include Lexplosion Solutions Private Limited, its authorized employees, and affiliates.
“Processing” shall mean and include any operation or set of operations which is performed upon Client Data, such as alteration, retrieval, disclosure, dissemination, blocking, erasure or destruction.
“Password” shall mean the password used by You (defined below) to access the Komrisk portal.
“Portal” shall mean the web portal which is to be used to access Komrisk.
“Third Party Vendors” shall mean and include any third party vendor and hosting partner of Lexplosion engaged in developing, managing, maintaining and hosting the Portal where Client Data is stored.
“You” means and includes any person such as a natural person, company, organization or legal entity, submitting information, in the capacity of a client or customer, to Lexplosion.
BACKGROUND
Lexplosion respects the privacy rights of its users and is strongly committed to protecting their privacy. This privacy policy applies to Client Data submitted by You through the Komrisk application and identified in writing as confidential. It does not apply to any other products or services or to information collected in any other way (whether offline or online), by Lexplosion, its affiliates or representatives.
DATA WE COLLECT
Lexplosion or Third Party Vendors receives Client Data as and when it is uploaded into the servers of Lexplosion or Third Party Vendors through the Portal, by You.
HOW WE USE AND DISCLOSE YOUR DATA
Lexplosion and the Third Party Vendors shall have the right to access the Client Data. Such right shall however be exercised by Lexplosion and/ or the Third Party Vendors only to process your requests for technical assistance and/or providing You with any Client Data that you may request.
Lexplosion and Third Party Vendors shall not share Client Data with any other party under any circumstances, except upon express written instruction by You. This restriction shall, however, not apply to the transfer of the Client Data from one server of Lexplosion to another either within or outside the country or the transfer from Lexplosion’s server to the server of Third Party Vendors or vice versa or the transfer from the server of one Third Party Vendor to the server of another Third Party Vendor within or outside the country. Lexplosion however shall ensure that the Third Party Vendors in whose server the Client Data is stored shall not have access to such data. Although Lexplosion owns all rights to the software, code, databases, and other applications related to providing of services, You retain all rights to the Client Data.
EXCEPTIONS TO NON-DISCLOSURE OF CLIENT DATA
Lexplosion may disclose Client Data to unaffiliated third parties if it believes in good faith that such disclosure is necessary (i) pursuant to law, regulatory requirements or the order of any court or governmental authority or (ii) in order to comply with or avoid violation of any request by a regulatory authority. Lexplosion shall, however, give prompt notice to You of such order so that You may (1) interpose an objection to such disclosure, (2) take action to assure confidential handling of the Client Data or (3) take such other action as it deems appropriate to protect the Client Data, unless prohibited by law from doing so.
ACCURACY AND SECURITY OF CLIENT DATA
Any Client Data collected by/ shared with Lexplosion shall be kept on secure servers. Lexplosion uses all reasonable administrative, technical, personnel, and physical measures to protect Client Data on such servers. The servers on which information is stored are kept in a controlled environment with limited access.
Lexplosion and the Third Party Vendors have implemented technical and organizational measures to ensure the security and confidentiality of Client Data in order to prevent, among other things, accidental, unauthorized or unlawful Processing of Client Data. The security measures taken are in compliance with applicable data protection regulations and shall be adapted to the risks presented and the nature of the Client Data to be Processed, having regard to the state of the art and the cost of implementation.
The technical and organizational measures to ensure the security and confidentiality which have been implemented by Lexplosion and the Third Party Vendors are contained in the “Information Security Policy” (attachment below).
While we take reasonable efforts to guard information we knowingly collect directly from you, no security system is impenetrable.
YOUR CONSENT
By using the Komrisk and uploading Client Data, You consent to the collection, possession, storage, handling and use of the Client Data as stated herein.
You shall also communicate Your consent in writing through letter or fax or email regarding purpose of usage before You upload Client Data on the Portal.
NAME AND ADDRESS OF THE ENTITY COLLECTING AND RETAINING YOUR INFORMATION
Name and address of the entity collecting and retaining Your Client Data shall be the as stated below:
Name and address of the entity collecting Your Client Data -
Name and address of the entity retaining Your Client Data -
Grievance Officer:
In accordance with Information Technology Act 2000 and rules made there under, the name and contact details of the grievance officer are published on the Portal for redressing Your grievances regarding Client Data.
TRANSFER OF CLIENT DATA
Some of the uses and disclosures mentioned in this privacy policy may involve the transfer of Client Data within as well as outside India from one server to another, whether owned by Lexplosion or Third Party Vendors, only for the purpose of storage. It should be noted in this connection that different jurisdictions may have different requirements of privacy of data. By submitting Client Data through the Portal, you consent to such transfers and compliance with data privacy requirements.
MODIFICATIONS TO THIS PRIVACY POLICY
If Lexplosion decides to change this privacy policy, it will post those changes on this page so that You are always aware of how Lexplosion uses Client Data and under what circumstances it can be disclosed. Any changes to the privacy policy will be communicated through the Portal at least 10 days in advance of implementation.
LINKS TO OTHER THIRD PARTY SOFTWARE
The Portal has a link to a web-form (“Customer Support Centre”), which is hosted by Third Party Vendors, for collecting information related to issues encountered by You during usage of Komrisk (known as “User Cases”). If you generate User Cases using the Customer Support Centre, you agree to submit User Case related information to such Third Party Vendors who will use the logged data to assign the User Case to the authorized support agents for resolution. You hereby acknowledge that such transmission of information is not a breach of any terms and conditions of this Privacy Policy.
QUESTIONS REGARDING THIS PRIVACY POLICY
If you have questions regarding this privacy policy, please contact us at Komrisk@lexplosion.in.
RETURN OF CONFIDENTIAL INFORMATION
Upon termination of this privacy policy, or upon Your earlier request, Lexplosion shall promptly deliver to You all Client Data and shall purge any such Client Data from all computer and other data storage systems within 45 days of termination or request, and certify to You in writing that it has done so; provided, however, that Lexplosion shall not be required to return or purge any Client Data that it is required to retain pursuant to law or regulatory requirements.
VALIDITY
This privacy policy shall be valid for the entire duration during which You store Client Data using the Portal, unless modified by a subsequent privacy policy.
LEXPLOSION INFORMATION SECURITY POLICY
SECURITY CONTROL MEASURES FOR PROTECTION OF CLIENT DATA:
Introduction
Lexplosion recognizes that protection of Client Data requires close cooperation between Lexplosion and Third Party Vendors. This document outlines Lexplosion’s security policies designed to safeguard Client Data from unauthorized or accidental Processing.
Capitalized terms used anywhere in this document and not being defined therein shall have the meaning attributed to them under the ‘Privacy Policy’ or ‘Terms and Conditions of Service’.
Scope
This policy addresses the statutory requirement to implement such security practices and standards and have a comprehensive documented information security program and information security policies that contain managerial, technical, operational and physical security control measures that are commensurate with the information assets being protected with the nature of business.
The measures that have been taken by Lexplosion either directly or through its Third Party Vendors have been documented below under four broad categories- Managerial, Technical, Operational And Physical.
Managerial
Lexplosion and Third Party Vendors’ servers used for storing Client Data are protected from unauthorized access by hardware firewalls. Lexplosion and Third Party Vendors use authorization management software and role based access within the virtualization layer to provide security to Client Data.
Operating Systems on the parent hardware are installed only with core components. This provides the smallest attack surface and reduces the number of patches and updates and greatly mitigates restarts required for maintenance. Additionally, all virtual machines are patched with the latest security updates.
Back up of Client Data are taken electronically, online using new technology that compresses Client Data to 40-60%, overcoats it with security features, then encrypts with a key and finally stores it in a secure, remote electronic data vault.
Lexplosion or Third Party Vendors in the course of providing Services, will not share, sell or rent the Client Data to third parties. Lexplosion and Third Party Vendors may access Client Data only for the purpose of providing the Services, preventing or addressing technical problems, at Client’s request or as may be required by law.
Technical-
Every Client Data is segregated and stored in separate database schema to avoid data interference and infringement. User identities and Passwords are stored in the Client specific database. To protect the Passwords, they are stored with SHA-256 hashing algorithm. All files uploaded by the Client as part of their tasks are stored in Client specific folders and encrypted.
Komrisk uses cookies to assist in delivering the Services and for security purposes. Cookies are files created on the Client’s web browser from a web server and stored on Client’s computer hard drive. This cookie does not allow Lexplosion or the Third Party Vendors to collect personally identifiable information about the Client. They disappear from Client’s computer after 14 days.
Operational
Komrisk uses the Client email identity of, with which You have been registered in the application, for authentication. Lexplosion and Third Party Vendors also collect Client information like First name, Last name, Workplace phone number or Mobile number. Komrisk uses this contact information to send information, alerts and reminders for compliance actionables. All information entered by the Client is protected using SSL (Secure Sockets Layer) encryption to prevent it from being intercepted by anyone else as it is transferred over the internet. We use Client’s unique network address (IP address) for security and audit purposes. Client’s IP address will not be used by Lexplosion and Third Party Vendors or released to any unauthorized third party except in the case of security breaches, inappropriate behaviour as highlighted by Client representative or fraudulent transactions.
Lexplosion and Third Party Vendors preserve the content of any e-mail received from Client, if there is legal requirement to do so. Email messages as part of customer support may be stored and monitored by our employees for security issues including where e-mail abuse is suspected. Response to Client may be monitored for quality assurance issues.
Physical
Data centers of Lexplosion and Third Party Vendors are staffed with trained security guards 24*7*365, providing on-site incidence management and protection to mission-critical internet operations. Visitors are screened upon entry to verify their identity and escorted to their appropriate locations. All access history is recorded for audit purposes.
In addition to the presence of the security guards, the entries and exits of the facilities are fitted with access control devices. The main entrance is protected by a biometric access device, which maps and verifies the bone structure of a person's hand. The facilities have Mantrap designed to ensure that no unwarranted entry/ exit can be made to / from the facilities. All areas are protected with proximity card readers, ensuring that only authorized personnel are allowed in.
Lexplosion and Third Party Vendor facilities are monitored and recorded using video cameras and the images from which are continually scanned by their security guards. Lexplosion and Third Party Vendors also maintain a 30 day hard disk based record of the videos in the event of unprecedented mishaps.