Information Security Policy

Introduction

SellerG App ("Company") maintains robust information security standards to protect the confidentiality, integrity, and availability of information assets. This document outlines the internal controls, practices, and principles in adherence to applicable security standards.

Scope

This policy applies to employees, contractors, and partners of the Company, and it complements the Company's Privacy Policy and Terms of Use.

1. Information Security Risk Management

The Company performs periodic, documented security risk assessments. Findings will guide prioritization of resources for risk mitigation. However, the Company explicitly states that risk assessment is inherently subjective and cannot guarantee the prevention of all security risks.

2. Information Classification and Handling

Information is classified as Public, Internal, Confidential, or Highly Confidential. Personnel must handle and protect data according to its classification. The Company expressly disclaims liability for employee non-compliance with classification standards.

3. Mobile Device Policy

Employees accessing Company resources from mobile devices must adhere to minimum security configurations, including encryption, remote wipe capabilities, and secure access methods. However, responsibility for personal devices remains solely with the device owners.

4. Software and Hardware Asset Management

The Company maintains an asset inventory to track software and hardware assets. The accuracy of inventories depends on employee compliance with reporting procedures, for which the Company cannot guarantee complete accuracy at all times.

5. Threat and Vulnerability Management

Routine vulnerability scanning and patch management procedures are followed. Nevertheless, the dynamic nature of threats precludes absolute security assurances.

6. Privileged Account Management

Privileged access is strictly controlled through dedicated accounts, approval processes, and periodic reviews. Misuse of privileged accounts by authorized personnel does not impose liability upon the Company.

7. System Hardening and Baseline

Standard baseline configurations for operating systems and applications are documented and implemented wherever practical. Variations due to operational requirements are possible, and absolute compliance cannot always be assured.

8. System Logging/Monitoring

Systems and infrastructure maintain event logs to assist security investigations. Logs are reviewed periodically but the Company does not guarantee continuous real-time monitoring or detection of all incidents.

9. Anti-virus and Malware Controls

Anti-virus and malware software is deployed and maintained; however, evolving malware threats mean absolute protection is not achievable or promised.

10. Patch Management

Regular patch management procedures are implemented. However, compatibility, operational considerations, and external dependencies may result in delayed patch application, exempting the Company from absolute liability.

11. Secure Software Development Life Cycle (SDLC)

The Company incorporates secure development practices in its software lifecycle. Despite reasonable precautions, software vulnerabilities may emerge, and absolute security is neither implied nor guaranteed.

12. Cryptography

Encryption standards are applied for sensitive data in transit and at rest. The Company explicitly disclaims liability for breaches due to cryptographic technology flaws outside its reasonable control.

13. Physical Security Policy

Physical security measures restrict unauthorized facility access. Liability for breaches caused by circumstances beyond reasonable control, including third-party acts, is explicitly excluded.

14. Access Management Policy (Physical and Logical)

Access controls require appropriate authorization. The Company disclaims liability for unauthorized access resulting from employees' or contractors' misconduct or negligence.

15. Restriction of Unauthorized Software

Employees are prohibited from installing unauthorized software. Liability arising from employee violations is explicitly excluded.

16. Remote Access Controls

Remote access requires secure methods such as VPN or SSH with multifactor authentication. Misuse by authorized users falls beyond the Company's liability.

17. Business Continuity and Disaster Recovery

The Company maintains and periodically reviews a Business Continuity and Disaster Recovery Plan. Operational constraints or unforeseen events may limit complete recovery or continuity assurance, thus excluding liability.

18. Intrusion Detection/Protection

Intrusion detection and prevention systems are deployed on critical systems. The Company expressly disclaims guarantees of identifying or preventing every intrusion.

19. Human Resource Security

Security training and background verification of personnel occur periodically. The Company explicitly disclaims liability arising from unauthorized or malicious employee actions despite reasonable diligence.

20. Information Security Incident Response

Incident response plans and teams are in place. Due to resource constraints or unforeseen complexities, complete incident detection, containment, or resolution cannot be guaranteed.

21. Third-Party Risk Management

Vendors and partners undergo risk assessments and security evaluations. Nonetheless, third-party breaches or actions are explicitly excluded from Company liability.

22. Privacy Policy (Handling of PII Data)

Please refer to the Company's Privacy Policy on the Company website for detailed handling of PII data. The Company expressly disclaims liability resulting from actions beyond its reasonable control or user consent.

23. Acceptable Use Policy

All users are required to adhere to acceptable use guidelines as defined in the Company's Terms of Use. The Company explicitly excludes liability for violations committed by users.

24. Removable Media Policy

Usage of removable media is strongly discouraged and must be authorized explicitly. Liability resulting from unauthorized usage by employees is explicitly excluded.

25. Change Management

Changes to systems follow documented approval processes to mitigate potential risks. Liability arising from unforeseen consequences during approved changes is explicitly excluded.

26. Data Retention and Disposal

Data retention and disposal follow documented policies, ensuring compliance with legal and operational requirements. Errors or omissions made by employees or contractors during disposal processes are explicitly excluded from Company liability.

Disclaimer of Liability

Notwithstanding the detailed measures herein, the Company explicitly disclaims liability for any loss, damage, unauthorized access, data breach, or operational interruptions arising from conditions beyond its reasonable and direct control, including but not limited to malicious acts, negligence of third parties, employees, contractors, or unforeseen technical vulnerabilities.

This Information Security Policy shall be reviewed annually or upon material changes to business operations. The Company reserves the right to amend or modify this policy as necessary.

Governing Law and Jurisdiction

This Policy is governed by the laws of India and subject to the exclusive jurisdiction of courts in Mumbai, India.

Contact Information

Questions regarding this policy can be directed to: