Version: 6.0

Preface

SGC Services P Ltd. (hereafter referred to as "SGC") Information Security Management System (ISMS) Team assumes responsibility for this document and updates it as required to meet the needs of users. The SGC ISMS Team welcomes and solicits feedback from users of this document and its reference artifacts so that future revisions of this document will reflect improvements, based on new technology, organizational best practices, and lessons learned. It will be maintained by the Chief Information Security Officer (CISO) and is subjected to review at a minimum on a yearly basis. This document forms part of ISMS Policy framework and as such, must be fully complied with. It states the steps SGC will take to limit the opportunity for information leakage by implementation of best practice, processes and procedures.

Document Revision History

Version	Date	Reviewed by	Approved by
1.0	September, 2018	CISO	Information Security Steering Committee
2.0	October, 2020	CISO	Information Security Steering Committee
3.0	November, 2021	CISO	Information Security Steering Committee
4.0	December, 2022	CISO	Information Security Steering Committee
5.0	November, 2023	CISO	Information Security Steering Committee
6.0	December, 2024	CISO	Information Security Steering Committee

Copyright

This document contains proprietary information of SGC. It may not be copied, transferred, shared in any form by any agency or personnel except for authorized internal distribution, unless expressly authorized by SGC Information Security Steering Committee in writing.

Document Distribution

The SGC Chief Information Security Officer (CISO) shall distribute this document to members of Information Security Steering Committee (hereafter referred to as ISSC) and The softcopy of the manual and related documents will be accessible to all employees in read-only mode through intranet. DPO-Rajesh Mittal The CISO will ensure that any update to ISMS is incorporated on the intranet server and is communicated to all employees through an appropriate mode such as e-mail.

Distribution List

Name	Acronym
Information Security Steering Committee	ISSC
Chief Information Security Officer	CISO
All employees and relevant external parties.	-
Data Protection Officer (DPO)	Rajesh Mittal

Conventions

The statements containing the words "shall" and "required to" in the document are mandatory rules. Failure to observe these rules may be construed as non-compliance to the policy. The statements containing the words "should" and "recommended" imply a desirable requirement. Failure to adhere to these rules may not be a direct non-compliance.

Table of Contents

Sr No	Contents
1	INTRODUCTION
2	PRIVACY POLICY
3	PRIVACY POLICY - APPLICABILITY
4	PERSONAL DATA PURPOSE AND COLLECTION
5	USE OF COOKIES
6	PURPOSE AND USE OF PERSONAL INFORMATION
7	PERSONAL INFORMATION STORAGE DURATION
8	PERSONAL INFORMATION SHARING
9	TECHNICAL CONTROLS ON PERSONAL INFORMATION MANAGEMENT
10	EXTERNAL OR THIRD PARTY REVIEWS
11	POLICY REVISIONS
12	FEEDBACK OR QUERIES ON PRIVACY

1.Introduction

Based on the requirement of ISO/IEC 27001:2013 this ISMS Policy serves as a management tool for SGC to fulfill the organization"s vision for information security

Non-compliance with this Policy could have a significant effect on the efficient operation of SGC and may result in financial loss and an inability to provide necessary services to our customers

The privacy policy is aligned to "Personal Data Protection" rights of Individuals. The policy may be referred to related Regulations, or as applicable to geographical location(s) where personal data is collected and processed.

SGC Service P Ltd (SGC) is a leading outsourcing company that provides comprehensive services related to payroll, retirement benefits management and all India legal compliance for labour and establishment related laws.

SGC provides services to customer as per contracted scope of services, terms and conditions. Technology is at forefront in providing efficient and effective delivery of services, whether from online web interfaces for employees / HR departments or through backend processes managed by well equipped and skilled resources deployed at SGC operation centres.

2.Privacy Policy

All personal information that is available with us is fully confidential. Information is not shared with anyone else. SGC never sell, trade, rent, or give personal information related to your employee's or individuals to any outsider or third party.

If any products are offered in conjunction with any partners, care is taken to ensure that the processes are controlled by us, so that no information is passed on to any third party.

Any information, if used at all, is presented in the form of aggregate statistics from which no relation either to companies or individuals can be logically drawn.

3.Privacy Policy - Applicability

This Privacy Policy applies to customers, their employees (or ex- employees) using our website, online solutions, batch or payroll processing.

The policy applies to the storage, management, communication, or processing of individual personal data during the functional flow of collection of data and delivery of payroll / HR and related services to our customers.

SGC is AICPA - SOC Type I and Type II attested company.

SGC manages data personal data in accordance to EU-GDPR, Personal data Protection Bill 2018 (proposed) and ITAct2000 of India.

4.Personal Data purpose and collection

"Personal information" means any information relating to an identified or identifiable individual. Examples of personal information may include, for example, your name, family details, email, cell, address, or related information.

Individual data is the information that our Customer provide for their employees / or you (employee) yourself, through online systems or provide through email to be used to process payroll or PF or ESI or compliance related data.

The data collected and processed by our online / offline solutions, processes and systems is in accordance with contractual terms of service with our customers, in accordance with SGC Information Security policies and procedures.

SGC business processes are fully automated and activity of all user personnel handling data is closely monitored for starting from data entry and up to generation of final reports. The SGC users who handle or manage data are allowed access on a Need to know basis as required in Technical and Operation process in delivery of services.

Personal data may also be any information visitors fill up in Contact us form on our website or through our feedback forms available online.

The web based submission process is fully automated and there is no human intervention in retrieving the data. Only in case of email query (only from registered email ID of the SGC) or voice response, the information is retrieved and sent back to requester with human intervention.

In addition date, time and certain additional information about a user"s browser and system or device configuration and capabilities for all visitors to our web sites is collected. The information is used for internal security audit logs, and to gather broad information about our audiences.

5.Use of cookies

Use of cookies is a data collection technology on our websites. A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don"t have to keep re-entering them whenever you come back to the site or browse from one page to another.

We use Cookies to:

• Identify users
• Remember users" custom preferences
• Help user"s complete tasks without having to re-enter information when browsing from one page to another or when visiting the site later.

6.Purpose and use of personal information

Personal information is used to:

• Provide and administer Payroll / HR and related services;
• Contact you and answer your questions;
• Market and advertise our products and services to you;
• Keep our systems, users, employees and services safe;
• Provide you with the information or support you requested.

7.Personal information storage duration

Personal information storage duration is in according to contractual agreements with our customer / or until required by the law enforcement agencies as the case may be.

The personal data collected is processed as per lawful collection and processing. The criteria we use to determine the period of time for which your personal information may be kept include:

The personal data collected is processed as per lawful collection and processing. The criteria we use to determine the period of time for which your personal information may be kept include:

• The nature and type of personal information that you provide to us;
• The purpose for which you provide your personal information to us;
• Necessary business and operational requirements to continue to supply you with the services or functionality you have requested
• We may retain your information for a longer time period, if we are required to do so by law.
• Data destruction / deletion of personal data is as per contractual terms of customers or at request in case of termination / end of contracted services.

8.Personal information Sharing

SGC may disclose personal information about you to third parties, including:

• Within the services team of SGC;
• To vendors that work on our behalf;
• To law enforcement when we have a good-faith belief that it is necessary to comply with a court order, ongoing judicial proceeding or other legal process served on us;
• To exercise our legal rights or defend against legal claims;
• To protect human safety or our networks or property, or as part of a sale or merger of our company or business assets.

SGC processes and manages information on infrastructure and networks within India only, with no cross border movement of personal data.

SGC may retain personal information for a longer time period, if we are required to do so by law.

9.Technical Controls on Personal Information management.

SGC has up-to-date Information Security policies and procedures.

SGC collects, store, and process information on servers at our own secure Data Centre. We will take steps to ensure Confidentiality and Privacy of ALL our customer data, any personal information through adequate technical and management security controls including encryption at storage / transit as needed.

SGC has enabled secure networks on our online services (Https / VPN), security within our Private network through adequate means including servers, firewalls, IDS/IPS, other available mechanisms.

SGC has enabled logs, audit trails, time stamps as feasible across systems and process.

10.External or Third party reviews

At SGC, the information security controls undergo periodic reviews to upgrade the security, technical operations controls, policies as per changing cyber risks.

External audits by SOC Auditors, IS Auditors, Vulnerability assessments (for Network / Applications) is conducted on an annual basis or earlier in case of any major changes at organization or system level.

SGC is provides "Right to Audit" to its clients to conduct external reviews or assess the maturity of personal data protection and cyber security controls of the related process as per contractual terms with the customer.

The right to audit can be invoked post a formal request and approval shall be subject to allocation of feasible time schedule and access to systems without affecting operation of security aspects of other customers being services by SGC.

11.Policy Revisions

SGC shall constantly work to develop and enhance our services. We may also change our practices over time as our business and technology evolve, and this may involve changes to the ways in which we collect, process and use your information. As a result, we may amend this Privacy Policy from time to time or at least once a year.

12.Feedback or queries on Privacy

For questions regarding this Privacy Policy, practices of our online solutions, or any other privacy issue, please email to privacy@sgcservices.com