Privacy Policy

2. Are visitors and housekeeping escorted by authorized personnel?.

Yes

3. What type of physical access control is used for entering the company campus?.

Biometric Access system with pin and finger scan

4. Are the physical security systems monitored 24/7?

The Security control room is manned 24X7 for monitoring the Physical security systems

5. Are photo IDs issued for employees?

Yes. Photo ID based access cards are issued to employees

1. Emergency power capabilitiesinstalled?

Yes. UPS systems and Diesel Generators are installed for emergency power requirements

2. Do you have documented Emergency escalation plans?

Yes

1. Emergency power capabilitiesinstalled?

Yes. UPS systems and Diesel Generators are installed for emergency power requirements

2. Do you have documented Emergency escalation plans?

Yes

1. Are externally facing servers OS hardened?

Yes. OS hardening reviews are carried, and accordingly hardening process is initiated

2. Are externally facing web servers using Web Application Firewalls?

No (Not part of subscribe service)

3. Are your web applications subject to Web vulnerability assessments?

No (Not part of subscribe service)

4. Are firewalls used between external and internalservices?

Yes

5. Are you using OS vulnerability assessment tools such as Nessus?

No

6. Are you using Intrusion Detection appliances in your external environment?

Yes

7. Is Anti-virus installed on all servers/clients?

Anti-virus services not being provided for clients

8. Has the system undergone security analysis or penetration testing, either by TI personnel or third-party firm? If so, please provide review date and summary of findings.

No

1. How is customer data segregated, by server, database, etc.? Can we request fully dedicatedresources?

Customer data segregation is carried out via dedicated hosting services. Fully dedicated resources may be requested for

2. Describe your processes or procedures in place for protecting TI's data against loss not due to a disaster, including, but not limited to data loss from laptop theft, hot-site files mishandled, backup tapes lost, etc.

• Access Control maintained in laptops / PC's that are password protected by individual users.
• Physical security is maintained on a 24X7 basis via Security personnel and CCTV cameras installed at strategic locations.
• Routine checkup and regular maintenance carried out for the hardware’s by Central IT team. Calls are logged with IT Helpdesk for hardware / software support
• Data is stored on the Central server. Backup of data on central server is taken by the Backup team through defined backup policies.
• Records of all physical data transfer is maintained.

3. Provide details on location and physical security of your data center. Is your data center hosted by a 3rd party or is it wholly owned and managed by you?

Reliance IDC’s Site location is carried out on the basis of following guidelines

• Necessities like Electricity, Water, Telephone lines and Networking Infrastructure support is available.
• The facility is not located in a flood, earthquake, hurricane, or tornado prone area.
• The facility is away from any Nuclear Plants, Military Bases, Embassies and other Government installations.
• Facility is closer to emergency services like Police, Fire brigade and Hospitals

4. Describe the physical security provided for all TI data that is taken off-site.

Reliance IDC maintains a list of the material in the form of Material Movement registers for material which enters into the Reliance IDC premises and moves out of the premises. It is required to be sent only after necessary consent and approvals from appropriate authority of the respective IDC Leads

1. Do you perform criminal background checks on employees?

Yes. Reference checks are carried out

2. Is contract labor used for administrative duties or application development?

No. Administrative duties are handled only by employees. No application development services are rendered to customers

3. Are your developers and Admins trained in security best practices? Code reviews held?

Yes. They are trained on the Security aspects

1. Do you have a documented patch policy forservers?

Yes

2. Do you have a documented customer data handling policy?

Yes. Information has varying degrees of sensitivity to the Reliance IDC. The level of security and the types of protective controls and measures used to secure information are depends on the sensitivity of information. Certain information needs an additional level of protection due to its criticality. In Reliance IDC one of the fundamental principles of information security is the "need to know” and “least privilege”. This principle holds that information should be disclosed only to those people who have a legitimate business need for the information. The data classification scheme has been designed to support the “need to know” policy so that information will be protected from unauthorized disclosure, use, modification, and deletion. Data classification is followed for handling customer data

3. Do you have a documented customer data classification policy?

Yes. Classification Levels are as below:

• i. CONFIDENTIAL

  CONFIDENTIAL information is that which is to be shared only with a very limited group and the unauthorized disclosure of which could be reasonably expected to cause damage to the business or its security.

• ii. PRIVATE

  While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact IDC its employees / customers, business partners can be classified as PRIVATE.

• iii. INTERNAL

  The information which is generated for/ by Reliance IDC employees and can be shared with Reliance IDC or Reliance ADAG group companies and can be shared or transferred to only identified external customers or any out of Reliance entity is classified as INTERNAL.

• iv. PUBLIC

  By definition, there is no such thing as unauthorized disclosure of this information and it may be freely disseminated without potential harm.

4. Do you have a documented customer data destruction policy?

• For media like floppy and CDs are broken.
• For Hard Disk and Tape storage media, the media is formatted before leaving the Reliance IDC.
• For equipment like switches, routers, firewall etc. all the configuration files are deleted, and the device is set to factory default condition.
• For decommissioned servers hard disk drives are formatted prior to sending the server to the stores.
• Any PC leaving the IDC premises, the user of the PC formats the hard disk drive before handing over the PC to the Central IT.

5. What is the process for notification of customers in case of a security breach? How/When?

It is done via email by IDC Tech desk. An incident case is generated by IDC Tech desk and notification is sent to the Customer.

1. How do users access the application? Examples: Web access, console, command line interface

Not Applicable - Services not Managed by IDC

2. What authentication is used for client access to application? Are you compatible with Federated IDSAML 2.0 standards?

Complexity enabled Password

3. Describe the various roles assigned in the application to TI users. For example, some roles might include: Data Entry, Data Review, Approval, User Management, Data Correction, Super User, IT Support, and Administrator

There are 3 types of Access for the users:

• Administrative/Super user Rights
• Normal User Rights,
• Read only

4. Does the application have an administrator or other privileged account that may have permissions greater than those of the typical user?

Yes. There is an Administrative/Super user Right

5. Do administrators use named credentials when accessing systems or use root/administrator?

Named credentials are used for accessing the systems

6. Are administrative activities logged and archived?

Yes

7. Is system access logged? If so, please note the current retention period of system access logs. As part of an investigation would TI be allowed to access these logs?

Administrative activities are logged but not archived. Logs will be overwritten once it reaches 20 MB size limit, Any Change on system will be carried out with service request raised by customer or by IDC.

8. Are any additional application and server logs archived? How long are they retained? As part of an investigation would TI be allowed to access these logs?

Incident logs are retained for 3 months for investigation purpose. In case of incidents, the logs may be shared with TI

9. Does the application lock an account after repeated failed login attempts?

System User Accounts will be locked after 3 invalid attempts & will be unlocked after 30 Minutes of time

1. Do any business processes supported by this application require “Separation of Duties (SoD)” or other safeguards to prevent a single user from abusing the system?

There is a "Segregation of duties" logic followed. Accesses to systems and applications are given only as per the role requirement

2. Have the roles and assignments been reviewed to ensure SoD conflicts do not exist?

Yes

1. Who provides new users with access to the system?

As customer & IDC both have Administrative privileges we both can create/provide.

2. Who provides existing users escalated privileges if needed?

As customer & IDC both have Administrative privileges we both can create/provide.

3. How are users removed from the system after termination or job change?

As customer & IDC both have Administrative privileges we both can create/provide.

4. Are there established approval and review processes for the above? If so, please describe

IDC create users only if we receive request from customer to do so.

1. Are account passwords maintained in accordance with a Security Policy governing complexity rules, length, expiration, etc.? If so, please provide details.

Yes. All infra servers are supposed to be aligned with the following password management controls:

• Maximum Password age - 60 days
• Account lockout threshold - 5 attempts
• Complex password

1. Is someone responsible for reviewing and/or approving the output of this application? If so, please identify the responsible individual(s) and describe the review process

• User access right review responsibility is assigned to the asset owners and they are instructed to review the current access rights verses valid access request forms every month.
• Asset owners disable the unwanted or expired user accounts if account holders do not reply after expiry date intimation mail.
• Whenever any employee resigns the job or gets transferred to other departments, the respective department head sends e-mail to all asset owners to disable his/her user accounts.

Location Data

We collect and use Customer location data to provide location-based services such as creating trips based on your current location. Your location data is only used when the app is active and is not shared with third parties without your consent. You may choose to disable location services at any time through your device settings.

Profile Information

You can upload a profile picture as part of your user account. This image is stored securely within the app and is only used for personalizing your profile. We do not share your profile picture with third parties.

1. HOW IS THE INFORMATION TO BE USED?

Berggruen uses the information collected for the following purposes:

• To assist you with reserving, renting, purchasing and leasing motor vehicles.
• To provide information concerning car sales, ride-sharing and fleet management.
• To conduct other transactions that you request.
• To operate and improve the website, services and offerings available through this website.
• To personalize the content and advertisements provided to you.
• To fulfill your requests for products, programs and services.
• To communicate with you and respond to your inquiries.
• To conduct research about your use of this website.
• To help offer you other products, programs, or services that may be of interest.

Your personally identifiable information will not be shared with third parties unless it is necessary to fulfill a transaction you have requested, in other circumstances in which you have consented to the sharing of your personally identifiable information, or except as described in this Policy. Berggruen may use your personally identifiable information to present offers to you on behalf of business partners and advertisers.

Data collected online may also be merged and combined with information you provide to us by means other than through this website as part of the standard business operations of Berggruen, provided, however, this Policy applies only to data collected online. If the same information about you is gathered from this website and also from other sources with different privacy policies, Berggruen may elect, in its sole discretion, to treat such information in accordance with the privacy policy that least restricts our use and disclosure of such information.