Data Security Policy

Version: 1.0 · Effective: March 24, 2026 · Hosting: AWS Mumbai

1. Security Overview

GoNexel employs a defence-in-depth approach to data security, combining multiple layers of protection — encryption, access controls, network security, monitoring, and incident response — to safeguard client data and business operations.

2. Encryption Standards

3. Access Controls

3.1 Role-Based Access Control (RBAC)

• Principle of Least Privilege: Employees are granted minimum access necessary for their role
• Role Definitions: Owner → Admin → Manager → Developer → Support → Read-Only
• Access Reviews: Quarterly reviews of all access permissions
• Immediate Revocation: Access revoked within 24 hours of role change or termination

3.2 Authentication

• Multi-Factor Authentication (MFA): Required for all administrative access
• Password Policy: Minimum 12 characters, complexity requirements, 90-day rotation
• Session Management: Automatic timeout after 30 minutes of inactivity
• API Access: Secured with API keys, OAuth 2.0, JWT tokens

4. Infrastructure Security

4.1 Cloud Infrastructure

• Hosting: AWS Mumbai region (ap-south-1), India
• Firewall: AWS Security Groups and WAF (Web Application Firewall)
• DDoS Protection: Cloudflare and AWS Shield
• Network Segmentation: VPC isolation between environments (production, staging, development)
• Geo-Compliance: Primary data residency in India, compliant with Indian data protection laws

4.2 Network Security

• IDS/IPS: Intrusion detection and prevention systems active 24/7
• Logging: All access and events logged and retained for 90 days
• Monitoring: 24/7 automated monitoring with real-time alerting

5. Vulnerability Management

6. Incident Response

6.1 Response Process

1. Detection: Monitoring systems, employee reports, or client notification
2. Classification: Severity assessment (Critical / High / Medium / Low)
3. Containment: Isolate affected systems to prevent spread
4. Investigation: Root cause analysis by the security team
5. Remediation: Implement fixes, patch vulnerabilities, restore services
6. Notification: Inform affected clients, authorities, and stakeholders
7. Post-Incident Review: Lessons learned and preventive measures documented

6.2 Notification Timelines

7. Backup & Disaster Recovery

• Backup Frequency: Daily automated backups (incremental); weekly full backups
• Storage: Geographically distributed across multiple AWS availability zones
• Encryption: All backups encrypted with AES-256 before transfer
• Retention: Minimum 90 days of backup history
• Recovery Time Objective (RTO): 24 hours
• Recovery Point Objective (RPO): 24 hours
• Testing: Quarterly disaster recovery drills with documented outcomes

8. Compliance & Certifications

9. Employee Security

• Background Checks: All employees undergo background verification before onboarding
• NDA: All employees sign non-disclosure agreements
• Security Training: Mandatory annual security awareness training
• Phishing Tests: Regular simulated phishing exercises
• Secure Development: Developers trained in OWASP Top 10 and secure coding practices
• Offboarding: All access revoked, devices wiped, within 24 hours of termination

10. Client Responsibilities

• Use strong, unique passwords and enable MFA
• Keep software, plugins, and integrations updated
• Report suspected security incidents immediately
• Do not share access credentials with unauthorised parties
• Follow secure coding practices for any custom integrations
• Comply with GoNexel's Acceptable Use Policy

11. Contact