PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Electricity

Electricity

Enable your retail business to offer fast, secure and reliable BBPS bill payments, recharges, OTT subscriptions and more all from one platform.

Information Security Policy

Last Updated: July 01, 2026

INFORMATION SECURITY POLICY (ISP)

Issued By: PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Registered Office: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Version: 1.0

Effective Date: 01 July 2026

1. INTRODUCTION

This Information Security Policy ("Policy" or "ISP") has been established and adopted by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED ("PROSPER", "Company", "We", "Us", or "Our"), a technology-enabled B2B financial services and fintech company incorporated under the Companies Act, 2013, engaged in providing digital payment services, financial inclusion services, banking correspondent services, payment processing services, merchant solutions, and other value-added financial services through its authorized network of agents, distributors, merchants, and business partners across India.

PROSPER recognizes that information security is critical to maintaining the confidentiality, integrity, availability, authenticity, and privacy of information assets, financial systems, customer data, and digital payment infrastructure. The Company is committed to implementing and maintaining robust information security controls to protect against cyber threats, unauthorized access, data breaches, fraud, operational disruptions, and financial crimes.

This Information Security Policy establishes the principles, standards, responsibilities, controls, and procedures governing the protection of information assets, technology infrastructure, digital payment systems, customer information, and business operations managed by PROSPER.

This Policy shall apply to all employees, directors, agents, distributors, merchants, contractors, consultants, third-party service providers, and business partners associated with PROSPER.

2. OBJECTIVES OF THE POLICY

The objectives of this Policy are:

  • To protect customer, business, and financial information;
  • To maintain confidentiality, integrity, and availability of information assets;
  • To prevent unauthorized access, disclosure, alteration, or destruction of information;
  • To comply with regulatory and legal requirements;
  • To mitigate cyber security risks;
  • To ensure secure operation of payment systems;
  • To maintain customer trust and business continuity;
  • To establish an effective information security governance framework;
  • To ensure compliance with RBI, NPCI, CERT-In, and other regulatory requirements.

3. REGULATORY AND LEGAL FRAMEWORK

This Policy has been formulated in accordance with:

  • Information Technology Act, 2000;
  • Digital Personal Data Protection Act, 2023;
  • Payment and Settlement Systems Act, 2007;
  • Reserve Bank of India Act, 1934;
  • RBI Cyber Security Framework Guidelines;
  • RBI Master Directions on Information Technology Governance;
  • RBI Payment Aggregator Guidelines;
  • RBI Master Directions on KYC;
  • NPCI Security Guidelines;
  • CERT-In Directions;
  • Prevention of Money Laundering Act, 2002;
  • Aadhaar Act, 2016;
  • ISO/IEC 27001 standards;
  • NIST Cyber Security Framework;
  • Applicable laws and regulations.

4. SCOPE OF THE POLICY

This Policy applies to all information assets, including:

Digital Platforms

  • Websites;
  • Mobile applications;
  • APIs;
  • Portals;
  • Payment systems.

Financial Services

  • BBPS Services;
  • AEPS Services;
  • Micro ATM Services;
  • DMT Services;
  • Merchant Services;
  • UPI Services;
  • BC Services;
  • Account Opening Services;
  • Prepaid Card Services.

Information Assets

  • Customer data;
  • Employee data;
  • Financial records;
  • Transaction records;
  • Business information;
  • Technical infrastructure;
  • Cloud systems;
  • Databases;
  • Source code;
  • Audit logs.

5. INFORMATION SECURITY PRINCIPLES

PROSPER's information security program is based on the following principles:

Confidentiality

Information shall only be accessible to authorized individuals.

Integrity

Information shall remain accurate, complete, and unaltered.

Availability

Information and systems shall remain available when required.

Authenticity

Information and transactions shall be verified and trusted.

Accountability

Users shall be accountable for actions performed.

Non-Repudiation

Actions and transactions shall be verifiable and traceable.

6. INFORMATION SECURITY GOVERNANCE

The Company shall maintain an Information Security Governance Framework comprising:

  • Board of Directors;
  • Senior Management;
  • Information Security Officer;
  • Compliance Team;
  • Risk Management Team;
  • Technology Team;
  • Internal Audit Team;
  • Incident Response Team.

The Board of Directors shall retain overall responsibility for information security governance.

7. INFORMATION ASSET CLASSIFICATION

All information assets shall be classified as:

Public Information

Information intended for public access.

Internal Information

Information restricted to authorized employees.

Confidential Information

Sensitive business and customer information.

Restricted Information

Highly sensitive information requiring enhanced protection.

Examples include:

  • Aadhaar information;
  • Financial information;
  • Customer data;
  • Authentication credentials;
  • Encryption keys;
  • Transaction records.

8. ACCESS CONTROL POLICY

PROSPER shall implement strict access controls including:

  • Role-Based Access Control (RBAC);
  • Principle of Least Privilege;
  • Need-to-Know access;
  • Multi-Factor Authentication (MFA);
  • Session management;
  • Privileged Access Management (PAM);
  • Password policies.

Access rights shall be reviewed periodically.

9. AUTHENTICATION AND PASSWORD SECURITY

PROSPER shall enforce:

  • Strong password policies;
  • Multi-factor authentication;
  • Password expiration controls;
  • Account lockout mechanisms;
  • Session timeout controls;
  • Device authentication;
  • Biometric authentication where applicable.

Passwords shall never be stored in plaintext.

10. DATA SECURITY AND ENCRYPTION

PROSPER shall implement:

Data in Transit

  • TLS 1.2 or higher;
  • HTTPS encryption;
  • VPN security.

Data at Rest

  • AES-256 encryption;
  • Database encryption;
  • File system encryption.

Key Management

  • Hardware Security Modules (HSM);
  • Encryption key rotation;
  • Secure key storage.

11. NETWORK SECURITY

The Company shall implement:

  • Firewalls;
  • Intrusion Detection Systems (IDS);
  • Intrusion Prevention Systems (IPS);
  • Web Application Firewalls (WAF);
  • Network segmentation;
  • VPN access controls;
  • DDoS protection;
  • Secure gateways.

12. APPLICATION SECURITY

All applications shall comply with secure development standards, including:

  • Secure SDLC;
  • Security by Design;
  • Privacy by Design;
  • Source code reviews;
  • Vulnerability scanning;
  • Penetration testing;
  • API security testing;
  • Dependency analysis.

13. CLOUD SECURITY

Where cloud services are utilized, PROSPER shall ensure:

  • Data localization compliance;
  • Encryption of cloud data;
  • Access controls;
  • Cloud monitoring;
  • Backup procedures;
  • Security audits;
  • Vendor risk assessments.

Cloud service providers shall be subject to contractual security obligations.

14. CUSTOMER DATA PROTECTION

Customer information shall be protected through:

  • Encryption;
  • Access controls;
  • Data masking;
  • Tokenization;
  • Audit logging;
  • Data segregation;
  • Retention controls.

Customer data shall be processed in accordance with:

  • DPDP Act, 2023;
  • IT Act, 2000;
  • RBI regulations.

15. CYBER SECURITY CONTROLS

PROSPER shall maintain:

  • Security Operations Center (SOC);
  • SIEM systems;
  • Endpoint Detection and Response (EDR);
  • Threat intelligence;
  • Malware protection;
  • Anti-virus systems;
  • Anti-phishing controls;
  • Security monitoring.

16. VULNERABILITY MANAGEMENT

The Company shall conduct:

  • Vulnerability assessments;
  • Penetration testing (VAPT);
  • Configuration reviews;
  • Patch management;
  • Security audits;
  • Application security testing.

Critical vulnerabilities shall be remediated immediately.

17. INCIDENT MANAGEMENT

PROSPER shall maintain an Incident Response Framework for:

  • Data breaches;
  • Cyber attacks;
  • Fraud incidents;
  • Malware infections;
  • Unauthorized access;
  • System compromises.

Incident management shall include:

  • Detection;
  • Investigation;
  • Containment;
  • Eradication;
  • Recovery;
  • Reporting.

18. DATA BREACH MANAGEMENT

In the event of a data breach:

  • Immediate containment measures shall be taken;
  • Customers may be notified where required;
  • Regulatory authorities may be informed;
  • Forensic investigations may be conducted;
  • Corrective measures shall be implemented.

All breaches shall be documented.

19. BUSINESS CONTINUITY AND DISASTER RECOVERY

PROSPER shall maintain:

  • Business Continuity Plan (BCP);
  • Disaster Recovery Plan (DRP);
  • Backup systems;
  • Alternate infrastructure;
  • Recovery testing procedures.

Periodic testing shall be conducted.

20. PHYSICAL SECURITY

Physical security controls shall include:

  • Access cards;
  • Visitor management;
  • CCTV surveillance;
  • Secure server rooms;
  • Environmental controls;
  • Equipment protection.

21. THIRD-PARTY SECURITY

All third-party vendors shall undergo:

  • Security due diligence;
  • Risk assessment;
  • Compliance reviews;
  • Contractual security obligations;
  • Periodic monitoring.

Third parties shall maintain adequate security controls.

22. EMPLOYEE SECURITY

Employees shall:

  • Sign confidentiality agreements;
  • Undergo background verification;
  • Complete security training;
  • Follow security procedures;
  • Report incidents immediately.

23. SECURITY AWARENESS TRAINING

Regular training shall be conducted on:

  • Information security;
  • Cyber security;
  • Data privacy;
  • Phishing attacks;
  • Social engineering;
  • Fraud prevention;
  • Regulatory compliance.

24. LOGGING AND MONITORING

PROSPER shall maintain:

  • Audit logs;
  • Access logs;
  • Transaction logs;
  • Security logs;
  • System logs;
  • Administrative logs.

Logs shall be monitored continuously.

25. RECORD RETENTION

Security records shall be retained for:

  • Minimum five (5) years;
  • Or longer where required by law.

Records include:

  • Audit logs;
  • Security incidents;
  • Access records;
  • Investigation reports;
  • Monitoring reports.

26. POLICY VIOLATIONS

Violations of this Policy may result in:

  • Warning;
  • Suspension;
  • Termination;
  • Financial penalties;
  • Legal proceedings;
  • Criminal prosecution.

27. GRIEVANCE AND SECURITY CONTACT

Information Security Officer

Name: Mr. Divyanshu Kumar

Address: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Email: security@prosper.in

Alternate Email: legal@prosper.in

Phone: +91 9918784000

Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM

28. POLICY REVIEW

This Policy shall be reviewed:

  • Annually;
  • Following security incidents;
  • Upon regulatory changes;
  • Upon implementation of new technologies.

29. GOVERNING LAW AND JURISDICTION

This Policy shall be governed by the laws of India.

Any dispute arising under this Policy shall be subject to the exclusive jurisdiction of the competent courts situated at Lucknow, Uttar Pradesh.

30. EFFECTIVE DATE

This Policy shall become effective on 01 July 2026 and shall remain valid until amended, replaced, or withdrawn.

31. DECLARATION

This Information Security Policy has been approved by the management of PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED and shall be binding upon all employees, agents, distributors, merchants, service providers, and business partners associated with PROSPER.


FOR AND ON BEHALF OF

PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED

Registered Office:
CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406

Email: legal@prosper.in

Phone: +91 9918784000

Website: www.prosper.in

"PROSPER – Securing Financial Inclusion Through Trust, Technology, and Compliance."