top of page

1. PURPOSE AND REGULATORY BASIS

This Cybersecurity & Access Policy (“Policy”) sets out the information security, technology usage, and access control framework of VR Financial Services (“VRFS”, “we”, “our”, “us”).

The objectives of this Policy are to:

  • Protect the confidentiality, integrity, and availability of client and organizational data

  • Ensure secure use of technology platforms, including the VRFS website and RedVision-powered client portal

  • Comply with applicable laws, regulations, and advisories, including:

    • Information Technology Act, 2000

    • Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

    • SEBI circular SEBI/HO/MIRSD2/DOR/CIR/P/2020/221 dated November 3, 2020 on SaaS-based solutions

    • CERT-In advisories and any applicable cybersecurity guidelines

    • Data Protection principles, including India’s DPDP regime, as and when notified

This Policy should be read together with:

  • VRFS Privacy Policy & Cookie Policy

  • VRFS Risk Disclosures & Legal Disclaimers

  • VRFS Website Terms & Conditions

  • VRFS Platform Usage Agreement (RedVision portal)
     

2. SCOPE AND APPLICABILITY

This Policy applies to:

  • All VRFS directors, employees, partners, associates, and sub-distributors

  • Any third party acting on behalf of VRFS with access to systems or data

  • All technology systems used by VRFS, including:

    • www.vrfinserv.com(Wix-hosted website)

    • portfolio.vrfinserv.com (RedVision / Wealth Elite client portal)

    • Email systems, end-user devices, collaboration tools

  • All client and operational data processed by VRFS and/or RedVision in the course of business

It also defines expectations and responsibilities for clients accessing the VRFS platforms.
 

3. ROLES AND RESPONSIBILITIES
3.1 VRFS Management

  • Approve, own, and periodically review this Policy

  • Ensure alignment with regulatory circulars, including SEBI’s SaaS advisory

  • Oversee contractual arrangements with RedVision and other technology providers

  • Allocate resources for security controls, monitoring, and incident response

3.2 Cybersecurity & IT Function (Internal / Outsourced)

  • Implement security controls described in this Policy

  • Maintain access control mechanisms, logs, and technical safeguards

  • Liaise with RedVision and other vendors on security posture and incidents

  • Ensure endpoints and tools used by VRFS staff adhere to security baselines

3.3 Employees, Representatives, and Sub-Distributors

Use systems strictly as per this Policy

  • Protect credentials and devices used for client servicing

  • Report suspected security incidents immediately

  • Refrain from using unauthorised software, platforms, or storage for client data

3.4 Clients

  • Use only official VRFS platforms and channels for access and communication

  • Maintain secrecy of login IDs, passwords, OTPs, and device security

  • Inform VRFS promptly in case of suspected compromise or fraud

  • Accept responsibility for activity initiated using their credentials, as detailed in the Platform Usage Agreement

4. INFORMATION ASSETS & DATA CLASSIFICATION

  1. VRFS classifies information as follows:

    • Critical Data

    • Client KYC information (PAN, date of birth, contact details)

    • Investment holdings, folios, transactions, valuations

    • Insurance policy details, contributions, and benefits

    • Regulatory compliance, reporting, and risk data

  2. Sensitive Personal Data

    • Any data that may be deemed sensitive under IT Rules / DPDP (e.g., financial data, identification numbers, authentication details)

  3. ​Confidential Internal Data

    • Business processes, commissions, internal SOPs, contractual documents

  4. Public Data

    • Marketing content, website articles, blogs, educational material

Critical Data and Sensitive Data are subject to the highest security standards and are hosted, stored, and processed only in approved environments.
 

5. TECHNOLOGY ARCHITECTURE & HOSTING
5.1 RedVision – Core Portfolio and Transaction Platform

VRFS uses RedVision Global Technologies Pvt. Ltd. (“Wealth Elite”) as its core technology platform for portfolio reporting and transaction facilitation.

As per RedVision’s declaration:

Client data and all web applications are hosted on AWS servers in the Asia Pacific (Mumbai) region.

Information security measures are aligned with the IT Act, 2000 and 2011 Rules.

Adequate technical and organizational safeguards are implemented.

This ensures critical financial and compliance data remains within the legal jurisdiction of India, in line with the SEBI SaaS circular and CERT-In advisory.

5.2 VRFS Website – www.vrfinserv.com  (Wix)

The public-facing website is hosted on Wix and used primarily for:

  • Educational content

  • Business information

  • Lead/contact forms

The website does not store or process critical portfolio data, KYC records, transaction histories, or compliance datasets.

Any personal data collected via website forms is limited (e.g., name, email, phone) and processed as per the VRFS Privacy Policy.

5.3 No Offshoring of Critical SaaS Functions

VRFS does not use offshore SaaS platforms to store or manage critical risk, compliance, or client portfolio data.

Any future SaaS usage for GRC or core operations will be permitted only if:

  • Data residency is within India, or

  • Regulatory and legal requirements for cross-border transfers are fully complied with and documented.

6. ACCESS CONTROL POLICY
6.1 Principle of Least Privilege

  • Access to systems and data is granted strictly on a need-to-know and need-to-use basis.

  • Each user (internal or external) receives a unique user ID; generic or shared IDs are prohibited for privileged operations.

6.2 User Authentication

  • Strong, unique passwords are mandatory for all systems that allow configuration or access to client data.

  • Where supported, multi-factor authentication (MFA) is enabled for critical systems.

  • Account lockout policies are applied after repeated failed login attempts.

6.3 Joiner-Mover-Leaver Process

  • New access is provisioned only upon approval by authorized personnel.

  • Access rights are updated during role changes.

  • Access is revoked immediately upon exit of any employee, consultant, or sub-distributor.

7. CLIENT ACCESS & USAGE REQUIREMENTS

Clients accessing the RedVision platform via portfolio.vrfinserv.com must:

  • Login only through official VRFS links or bookmarked URLs

  • Never share login credentials, passwords, or OTPs with any individual, including VRFS or RedVision staff

  • Avoid using public or shared devices for logging into the portal; if used, ensure proper logout and no saving of credentials

  • Ensure their registered email and mobile numbers are up to date for communication and alerts

  • Immediately inform VRFS in case of:

    • Unauthorized access

    • Compromised devices

    • Suspicious emails, calls, or messages claiming to be from VRFS

These requirements mirror and enforce the Platform Usage Agreement obligations.

8. ENDPOINT & NETWORK SECURITY (VRFS SIDE)

Devices used by VRFS personnel to access RedVision or other regulated systems must:

  • Run supported, regularly updated operating systems

  • Have antivirus and/or endpoint protection deployed where appropriate

  • Be locked with strong passwords or biometric controls

  • Not be rooted or jailbroken, in case of mobile devices

Accessing back-office systems from public, unsecured Wi-Fi is discouraged. Where unavoidable, a VPN or secure tunnel must be used.

External removable media (USB drives, external HDDs) must not be used to store or transport client data except in controlled, encrypted formats and only when absolutely necessary.

9. APPLICATION SECURITY & CHANGE MANAGEMENT

Only approved platforms (RedVision, exchanges, AMCs, insurers, RTAs, KRAs, and regulated intermediaries) are to be used for execution and reporting.

“Shadow IT” (unapproved tools, apps, or SaaS platforms) for client data is strictly prohibited.

Any integration or new system connected to RedVision or VRFS processes must undergo:

Security review

Data-flow mapping

Contractual and regulatory checks

Updates, enhancements, or configuration changes in RedVision are managed by RedVision as per their change management controls; VRFS will periodically obtain assurance on this.

10. DATA PROTECTION, ENCRYPTION & STORAGE

All client data transmitted between browsers and VRFS/RedVision platforms uses HTTPS/TLS or equivalent encryption.

RedVision ensures encryption at rest and in transit as per their security posture on AWS Mumbai.

VRFS does not locally store complete client portfolio databases; data is accessed via secure RedVision portals and APIs.

Any reports downloaded (e.g., portfolio statements) are stored securely, with access restricted and retention limited to business and regulatory needs.

Exporting or emailing sensitive data in unprotected formats is discouraged. Where necessary, password-protected files or secure sharing methods must be used.

11. LOGGING, MONITORING & AUDIT

Access, configuration, and transaction logs are maintained by RedVision for user activity on the Platform.

VRFS may review logs for:

  • Security investigations

  • Fraud detection

  • Regulatory inquiries

Regular audits and reviews are conducted to ensure:

  • Compliance with SEBI SaaS advisory

  • Adherence to IT Act and DPDP principles

  • Alignment with contracts and declarations provided by RedVision

Any anomalous activity identified via logs or alerts must be escalated as a potential security incident.

12. SAAS USAGE & SEBI CIRCULAR COMPLIANCE

In line with SEBI circular SEBI/HO/MIRSD2/DOR/CIR/P/2020/221:

  • VRFS recognizes the risks associated with SaaS solutions for Governance, Risk & Compliance and core financial data.

  • VRFS ensures that critical risk and compliance data remain within India’s legal jurisdiction, with data hosted on Indian-region cloud infrastructure (AWS Mumbai via RedVision).

    • Any SaaS platform used for critical processes must:

    • Provide explicit data-residency within India or compliant jurisdictions

    • Offer contractual commitments for data protection and incident reporting

    • Be assessed for cybersecurity posture and vendor risk

  • VRFS will not adopt or continue any SaaS solution that:

    • Transfers critical GRC data outside India without due compliance

    • Lacks sufficient visibility, control, or contractual safeguards

13. INCIDENT MANAGEMENT & REPORTING

A “Security Incident” includes, but is not limited to:

  • Unauthorized access to client or internal systems

  • Data breach, data leakage, or suspected compromise

  • Malware infection or ransomware on VRFS-controlled endpoints

  • Compromise of credentials or phished accounts

  • Misuse of VRFS branding in cyber fraud

13.1 Internal Response

On detection or suspicion of an incident:

  • VRFS personnel must immediately escalate to the designated security contact.

  • Containment actions (e.g., password reset, access revocation, device isolation) will be initiated promptly.

  • RedVision and/or affected third parties will be informed if the incident pertains to their environment.

13.2 External Reporting

Where applicable, VRFS will cooperate with:

  • CERT-In

  • Regulators (SEBI, AMFI, IRDAI, PFRDA, RBI, etc.)

  • Law enforcement agencies

Clients affected or potentially affected may be informed, consistent with legal and regulatory requirements.

14. BUSINESS CONTINUITY & DISASTER RECOVERY

RedVision maintains business continuity and disaster recovery capabilities within its infrastructure for portfolio and transaction services.

VRFS will coordinate with RedVision to understand and periodically review high-level continuity arrangements.

VRFS maintains its own continuity measures for:

  • Communication (email, WhatsApp Business, phone)

  • Client servicing SOPs

  • Documented fall-back processes in case of platform outage
     

15. TRAINING & AWARENESS

VRFS will provide periodic awareness to employees and associates on:

  • Cybersecurity hygiene

  • Phishing and social engineering threats

  • Secure handling of client data

  • Use of official systems only

Clients may be periodically reminded (via email/WhatsApp/portal messages) about:

  • Not sharing OTPs or passwords

  • Verifying VRFS identities and channels

  • Avoiding fraudulent schemes and impersonation attempts

16. POLICY REVIEW, OWNERSHIP & VERSIONING

  • This Policy is owned by VRFS management.

  • It will be reviewed at least annually, or earlier if:

    • Regulations change

    • SEBI / CERT-In / other regulators issue relevant advisories

    • RedVision modifies its infrastructure in a material way

    • Significant incidents highlight gaps or improvement areas

  • The current version of this Policy will be made available:

    • On the VRFS website

    • As part of VRFS governance documentation

    • To regulators, enterprise clients, and partners upon request

17. CONTACT FOR SECURITY & ACCESS

For security-related concerns, incident reporting, or clarifications on this Policy:

VR Financial Services
Email: contact@vrfinserv.com

Website: www.vrfinserv.com

Client Portal: portfolio.vrfinserv.com

VR FINANCIAL SERVCIES - CYBERSECURITY & ACCESS POLICY
bottom of page