Data Breach Response Policy

Effective Date : 07th June, 2026

May 2026

1. Purpose

This Data Breach Response Policy (“Policy”) establishes the framework, procedures, responsibilities, and response measures adopted by Bharosak (“Company”, “Platform”, “we”, “our”, or “us”) for identifying, reporting, managing, investigating, mitigating, and responding to actual, suspected, or potential data breaches and information security incidents.

The objective of this Policy is to:

• Protect customer and business data;

• Minimize operational and security risks;

• Ensure timely response to security incidents;

• Support compliance with applicable laws and contractual obligations;

• Maintain accountability and auditability;

• Reduce impact on affected individuals, customers, and systems.

2. Scope

This Policy applies to:

• Personal data;

• Business information;

• Verification records;

• Customer information;

• Authentication credentials;

• Uploaded documents;

• API integrations;

• Internal systems;

• Cloud infrastructure;

• Employees, contractors, vendors, and third-party service providers handling Bharosak information assets.

3. Definition of Data Breach

For the purposes of this Policy, a “Data Breach” includes any actual, suspected, accidental, unlawful, or unauthorized:

• Access;

• Disclosure;

• Exposure;

• Acquisition;

• Alteration;

• Loss;

• Destruction;

• Theft;

• Misuse;

• Unavailability;

of information, systems, credentials, infrastructure, or protected data.

4. Examples of Security Incidents

Examples may include:

• Unauthorized account access;

• Credential compromise;

• API key leakage;

• Malware or ransomware attacks;

• Exposure of customer information;

• Improper sharing of verification data;

• Unauthorized downloads or exports;

• Phishing attacks;

• Insider misuse;

• Cloud misconfigurations;

• Accidental disclosure;

• Loss of company devices containing sensitive data.

5. Incident Response Objectives

Bharosak aims to:

• Detect incidents promptly;

• Contain and minimize damage;

• Preserve evidence and logs;

• Restore operations safely;

• Notify affected parties where appropriate;

• Prevent recurrence;

• Maintain operational continuity.

6. Roles & Responsibilities

A. Management

Management shall oversee:

• Incident coordination;

• Escalation decisions;

• External communication;

• Regulatory considerations;

• Remediation approvals.

B. Technical Personnel

Authorized technical personnel may:

• Investigate incidents;

• Isolate affected systems;

• Analyze logs;

• Revoke credentials;

• Apply security fixes;

• Restore services.

C. Employees & Users

All employees and authorized users must:

• Immediately report suspected incidents;

• Avoid concealing security events;

• Cooperate with investigations;

• Follow emergency response procedures.

7. Incident Identification & Reporting

A. Reporting Channels

Suspected incidents may be reported through:

• support@bharosak.com

• Internal escalation mechanisms

• Official support channels

B. Reporting Requirements

Reports should include where possible:

• Nature of incident;

• Date/time detected;

• Affected systems or accounts;

• Suspected data involved;

• Screenshots or evidence;

• User actions already taken.

8. Incident Classification

Incidents may be categorized based on severity, including:

Severity Examples

Low : Minor unauthorized attempt blocked

Medium : Limited account compromise

High :Exposure of sensitive records

Critical : Large-scale breach or ransomware

Severity classification may determine escalation priority and response actions.

9. Incident Response Process

Step 1 — Detection

Incidents may be identified through:

• Monitoring systems;

• Audit logs;

• Customer reports;

• Employee reports;

• Security alerts;

• Third-party notifications.

Step 2 — Initial Assessment

Bharosak may assess:

• Nature of incident;

• Scope of exposure;

• Systems affected;

• Data involved;

• Potential operational impact;

• Risk severity.

Step 3 — Containment

Containment actions may include:

• Disabling accounts;

• Revoking credentials;

• Blocking access;

• Isolating systems;

• Suspending APIs;

• Restricting data exports.

Step 4 — Investigation

Investigation may involve:

• Log analysis;

• System reviews;

• Access audits;

• Infrastructure examination;

• Verification of affected records;

• Internal interviews where necessary.

Step 5 — Remediation

Corrective actions may include:

• Password resets;

• Infrastructure hardening;

• Security patches;

• Access control updates;

• API key rotation;

• Process improvements;

• Additional monitoring controls.

Step 6 — Recovery

Bharosak may restore systems and services after reasonable assessment that operational risks have been mitigated.

Step 7 — Post-Incident Review

Post-incident reviews may include:

• Root cause analysis;

• Process evaluation;

• Lessons learned;

• Security enhancement recommendations;

• Documentation updates.

10. Notification Process

Where commercially reasonable, contractually required, or legally necessary, Bharosak may notify:

• Affected customers;

• Business partners;

• Service providers;

• Regulatory authorities;

• Law enforcement agencies.

Notification timelines may depend on:

• Severity;

• Legal obligations;

• Verification of facts;

• Ongoing investigations.

11. Evidence Preservation

Bharosak may preserve:

• System logs;

• Access records;

• Audit trails;

• Communication records;

• Screenshots;

• Technical artifacts;

for investigation, legal, security, and compliance purposes.

12. Third-Party Incidents

Where incidents involve third-party providers such as:

• Cloud providers;

• API vendors;

• Payment gateways;

• Communication platforms;

Bharosak may coordinate with such providers for mitigation and investigation.

Bharosak does not control the security practices of independent third parties.

13. Data Recovery & Backup

Bharosak may maintain backups and recovery mechanisms designed to support operational continuity.

However:

• Complete recovery may not always be possible;

• Data loss risks cannot be fully eliminated;

• Third-party dependencies may affect recovery timelines.

14. Employee Security Obligations

Personnel must:

• Protect credentials;

• Avoid unauthorized sharing;

• Follow approved security procedures;

• Report suspicious activities promptly;

• Cooperate with investigations.

Failure to comply may result in disciplinary or legal action.

15. Confidentiality During Investigations

Incident investigations may involve confidential operational, legal, technical, or customer information.

Employees and users shall avoid unauthorized disclosure of ongoing investigations.

16. False Reporting & Abuse

Knowingly false, malicious, or misleading incident reports may result in:

• Account restrictions;

• Internal disciplinary action;

• Legal remedies where applicable.

17. Compliance Considerations

This Policy is intended to support alignment with:

• Information Technology Act, 2000;

• Digital Personal Data Protection Act, 2023;

• Applicable contractual obligations;

• Industry-standard security practices.

18. Limitation of Guarantees

While Bharosak implements commercially reasonable security controls, no system can guarantee complete immunity from:

• Cyberattacks;

• Insider threats;

• Infrastructure failures;

• Third-party vulnerabilities;

• Human error.

Users acknowledge that cybersecurity risks may exist despite reasonable safeguards

19. Policy Updates

Bharosak reserves the right to update or modify this Policy periodically.

Updated versions become effective upon publication or internal circulation.

20. Contact Information

For security incidents or breach-related concerns:

Bharosak
Email: support@bharosak.com
Website: www.bharosak.com

Annexure A — Recommended Internal Incident Escalation Matrix

Severity Escalation

Low : Internal technical review

Medium : Management notification

High : Immediate escalation + containment

Critical : Emergency response coordination

Annexure B — Suggested Internal Breach Checklist

Immediate Actions

• Incident identified

• Logs preserved

• Access isolated

• Credentials revoked if needed

• Systems assessed

• Management informed

• Investigation initiated

Annexure C — Suggested Website Security Notice

Bharosak maintains commercially reasonable administrative, technical, and operational safeguards to protect customer information and platform systems. However, no digital infrastructure can guarantee absolute security against all cybersecurity threats or incidents.