This Internal Staff Cybersecurity & Confidentiality Policy (“Policy”) governs the conduct, security practices, and confidentiality obligations applicable to all personnel associated with VR Financial Services (“VRFS”, “we”, “our”).
This Policy is binding and enforceable.

 

1. PURPOSE

This Policy ensures:

• Protection of all client data and VRFS operational information

• Prevention of unauthorized access, misuse, disclosure, or theft

• Compliance with applicable laws and regulations

• Maintenance of secure systems and ethical behaviour by internal personnel

• Alignment with the VRFS Cybersecurity & Access Policy, Platform Usage Agreement, and Privacy frameworks

This document forms the core of VRFS’s internal governance and cyber-hygiene discipline.

​

2. SCOPE

This Policy applies to:

Founders / Directors

• Employees

• Sub-distributors

• Consultants

• Interns

• Temporary staff

• Any individual with direct or indirect access to VRFS systems, client data, or operations

This Policy governs access to:

• RedVision portal

• Email, WhatsApp Business, communication systems

• Any data stored or processed by VRFS

• Devices, networks, and apps used to perform VRFS duties

• Any operational documents or confidential information

​

3. CONFIDENTIALITY OBLIGATIONS 

All personnel must maintain absolute confidentiality of:

• Client identities, contact details, KYC data

• Portfolio details, folio numbers, financial information

• Transaction histories

• Commission structures, commercial terms, and business processes

• Internal documentation, SOPs, and system accesses

• Any information designated as confidential by VRFS

3.1 The following actions are strictly prohibited:

• Sharing ANY client information with ANYONE outside VRFS

• Discussing client data with unauthorized persons (including family/friends)

• Storing client data on personal devices, cloud platforms, or external apps

• Uploading or copying data into Google Drive, iCloud, Dropbox, Notion, etc.

• Sharing screenshots of client portfolio pages or transactions

• Printing or photocopying client data without authorization

• Sending client information through personal email or messaging apps

• Inspecting or accessing client information without official purpose

• Downloading full portfolios or datasets from RedVision

• Retaining client data beyond the necessary service duration

3.2 Confidentiality is binding even after exit.

All personnel remain legally bound to confidentiality indefinitely, even after:

• Resignation

• Contract termination

• Discontinuation as sub-distributor

• Suspension or removal

• 3.3 Penalties for breach

Breaches may lead to:

• Immediate termination

• Civil liability

• Criminal prosecution under IT Act

• Regulatory reporting to SEBI / IRDAI / PFRDA / RBI

• Recovery of damages

VRFS has zero tolerance for confidentiality breaches.

​

4. DEVICE SECURITY REQUIREMENTS

Personnel must ensure:

• Devices have updated OS and security patches

• Antivirus/endpoint protection is active

• Full-disk encryption is enabled where available

• Strong passwords / biometric lock are mandatory

• Auto-lock enabled after inactivity

• No rooted/jailbroken device is used

• Only VRFS-approved applications may be used for client servicing

• Devices must not store exported client files permanently

Unauthorized devices must not be used for VRFS work.

​

5. COMMUNICATION SECURITY

Personnel must:

• Use only official VRFS email IDs for client communication

• Never use personal Gmail/Yahoo/Hotmail for VRFS business

• Use WhatsApp Business (VRFS official) for permitted communication only

• Not share OTPs, passwords, or system credentials

• Verify client identities before discussing investments

• Treat unknown attachments/links as suspicious

• Escalate phishing attempts immediately

Sharing client data on personal WhatsApp, SMS, or social media is strictly prohibited.

​

6. ACCESS CONTROL & AUTHORIZATION

Personnel agree to:

• Use their assigned access credentials only

• Never share usernames, passwords, or MFA tokens

• Follow Least Privilege Access principles

• Access only data required for their role

• Log out after each session

• Not bypass system security in any manner

• Immediately report suspected credential compromise

Unauthorized access or attempted access is a disciplinary + legal offence.

​

7. DATA HANDLING & STORAGE

Personnel must follow strict data hygiene:

• Access client data ONLY within RedVision or approved regulated systems

• Avoid storing PDF statements or reports unless necessary

• Delete temporary files immediately after tasks

• Not export full datasets unless explicitly authorized

• Avoid forwarding client data through unencrypted channels

• Use password-protected files when necessary

• Use secure, official devices and networks only

Printing client data requires explicit management approval.

​

8. SOCIAL ENGINEERING & FRAUD PREVENTION

Personnel must:

• Validate client instructions received through WhatsApp/Email

• Confirm unusual requests through a verified call

• Reject requests involving transfer of funds into personal accounts

• Not act on instructions originating from unknown numbers

• Educate clients on OTP/password safety

• Escalate suspicious behaviour immediately

Engaging in fraudulent activities or assisting fraud is grounds for immediate termination + legal action.

​

9. INCIDENT REPORTING (Strict 15-Minute Rule)

Personnel must report suspected incidents within 15 minutes of noticing:

• Unauthorized system access

• Device compromise

• Loss/theft of laptop or phone

• Phishing or malware attempt

• Suspicious client request

• Data leakage or accidental disclosure

• Misuse of VRFS branding

Failure to report promptly is treated as a compliance violation.

​

10. DISCIPLINARY ACTION AND LEGAL LIABILITY

Violations of this Policy may result in:

• Written warning

• Suspension

• Termination

• Legal action under IT Act, 2000

• Regulatory escalation (SEBI, IRDAI, PFRDA, AMFI)

• Monetary penalties

• Civil claims for damages

VRFS may pursue criminal charges in severe cases.

​

11. POLICY REVIEW & UPDATES

This Policy will be reviewed:

• Annually

• Upon major regulatory change

• Upon CERT-In or SEBI cyber advisories

• Upon significant platform or infrastructure updates

• After a material incident

VRFS may modify this Policy at any time. Updated versions will be circulated internally.

​

12. ACKNOWLEDGEMENT & ACCEPTANCE

All personnel must sign and acknowledge:

• Acceptance of this Policy

• Understanding of obligations

• Agreement to comply

• Liability for breach

Employment or engagement begins only after acceptance of this Policy.