Information Security Policy
Last Updated: July 01, 2026
INFORMATION SECURITY POLICY (ISP)
Issued By: PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED
Registered Office: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Version: 1.0
Effective Date: 01 July 2026
1. INTRODUCTION
This Information Security Policy ("Policy" or "ISP") has been established and adopted by PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED ("PROSPER", "Company", "We", "Us", or "Our"), a technology-enabled B2B financial services and fintech company incorporated under the Companies Act, 2013, engaged in providing digital payment services, financial inclusion services, banking correspondent services, payment processing services, merchant solutions, and other value-added financial services through its authorized network of agents, distributors, merchants, and business partners across India.
PROSPER recognizes that information security is critical to maintaining the confidentiality, integrity, availability, authenticity, and privacy of information assets, financial systems, customer data, and digital payment infrastructure. The Company is committed to implementing and maintaining robust information security controls to protect against cyber threats, unauthorized access, data breaches, fraud, operational disruptions, and financial crimes.
This Information Security Policy establishes the principles, standards, responsibilities, controls, and procedures governing the protection of information assets, technology infrastructure, digital payment systems, customer information, and business operations managed by PROSPER.
This Policy shall apply to all employees, directors, agents, distributors, merchants, contractors, consultants, third-party service providers, and business partners associated with PROSPER.
2. OBJECTIVES OF THE POLICY
The objectives of this Policy are:
- To protect customer, business, and financial information;
- To maintain confidentiality, integrity, and availability of information assets;
- To prevent unauthorized access, disclosure, alteration, or destruction of information;
- To comply with regulatory and legal requirements;
- To mitigate cyber security risks;
- To ensure secure operation of payment systems;
- To maintain customer trust and business continuity;
- To establish an effective information security governance framework;
- To ensure compliance with RBI, NPCI, CERT-In, and other regulatory requirements.
3. REGULATORY AND LEGAL FRAMEWORK
This Policy has been formulated in accordance with:
- Information Technology Act, 2000;
- Digital Personal Data Protection Act, 2023;
- Payment and Settlement Systems Act, 2007;
- Reserve Bank of India Act, 1934;
- RBI Cyber Security Framework Guidelines;
- RBI Master Directions on Information Technology Governance;
- RBI Payment Aggregator Guidelines;
- RBI Master Directions on KYC;
- NPCI Security Guidelines;
- CERT-In Directions;
- Prevention of Money Laundering Act, 2002;
- Aadhaar Act, 2016;
- ISO/IEC 27001 standards;
- NIST Cyber Security Framework;
- Applicable laws and regulations.
4. SCOPE OF THE POLICY
This Policy applies to all information assets, including:
Digital Platforms
- Websites;
- Mobile applications;
- APIs;
- Portals;
- Payment systems.
Financial Services
- BBPS Services;
- AEPS Services;
- Micro ATM Services;
- DMT Services;
- Merchant Services;
- UPI Services;
- BC Services;
- Account Opening Services;
- Prepaid Card Services.
Information Assets
- Customer data;
- Employee data;
- Financial records;
- Transaction records;
- Business information;
- Technical infrastructure;
- Cloud systems;
- Databases;
- Source code;
- Audit logs.
5. INFORMATION SECURITY PRINCIPLES
PROSPER's information security program is based on the following principles:
Confidentiality
Information shall only be accessible to authorized individuals.
Integrity
Information shall remain accurate, complete, and unaltered.
Availability
Information and systems shall remain available when required.
Authenticity
Information and transactions shall be verified and trusted.
Accountability
Users shall be accountable for actions performed.
Non-Repudiation
Actions and transactions shall be verifiable and traceable.
6. INFORMATION SECURITY GOVERNANCE
The Company shall maintain an Information Security Governance Framework comprising:
- Board of Directors;
- Senior Management;
- Information Security Officer;
- Compliance Team;
- Risk Management Team;
- Technology Team;
- Internal Audit Team;
- Incident Response Team.
The Board of Directors shall retain overall responsibility for information security governance.
7. INFORMATION ASSET CLASSIFICATION
All information assets shall be classified as:
Public Information
Information intended for public access.
Internal Information
Information restricted to authorized employees.
Confidential Information
Sensitive business and customer information.
Restricted Information
Highly sensitive information requiring enhanced protection.
Examples include:
- Aadhaar information;
- Financial information;
- Customer data;
- Authentication credentials;
- Encryption keys;
- Transaction records.
8. ACCESS CONTROL POLICY
PROSPER shall implement strict access controls including:
- Role-Based Access Control (RBAC);
- Principle of Least Privilege;
- Need-to-Know access;
- Multi-Factor Authentication (MFA);
- Session management;
- Privileged Access Management (PAM);
- Password policies.
Access rights shall be reviewed periodically.
9. AUTHENTICATION AND PASSWORD SECURITY
PROSPER shall enforce:
- Strong password policies;
- Multi-factor authentication;
- Password expiration controls;
- Account lockout mechanisms;
- Session timeout controls;
- Device authentication;
- Biometric authentication where applicable.
Passwords shall never be stored in plaintext.
10. DATA SECURITY AND ENCRYPTION
PROSPER shall implement:
Data in Transit
- TLS 1.2 or higher;
- HTTPS encryption;
- VPN security.
Data at Rest
- AES-256 encryption;
- Database encryption;
- File system encryption.
Key Management
- Hardware Security Modules (HSM);
- Encryption key rotation;
- Secure key storage.
11. NETWORK SECURITY
The Company shall implement:
- Firewalls;
- Intrusion Detection Systems (IDS);
- Intrusion Prevention Systems (IPS);
- Web Application Firewalls (WAF);
- Network segmentation;
- VPN access controls;
- DDoS protection;
- Secure gateways.
12. APPLICATION SECURITY
All applications shall comply with secure development standards, including:
- Secure SDLC;
- Security by Design;
- Privacy by Design;
- Source code reviews;
- Vulnerability scanning;
- Penetration testing;
- API security testing;
- Dependency analysis.
13. CLOUD SECURITY
Where cloud services are utilized, PROSPER shall ensure:
- Data localization compliance;
- Encryption of cloud data;
- Access controls;
- Cloud monitoring;
- Backup procedures;
- Security audits;
- Vendor risk assessments.
Cloud service providers shall be subject to contractual security obligations.
14. CUSTOMER DATA PROTECTION
Customer information shall be protected through:
- Encryption;
- Access controls;
- Data masking;
- Tokenization;
- Audit logging;
- Data segregation;
- Retention controls.
Customer data shall be processed in accordance with:
- DPDP Act, 2023;
- IT Act, 2000;
- RBI regulations.
15. CYBER SECURITY CONTROLS
PROSPER shall maintain:
- Security Operations Center (SOC);
- SIEM systems;
- Endpoint Detection and Response (EDR);
- Threat intelligence;
- Malware protection;
- Anti-virus systems;
- Anti-phishing controls;
- Security monitoring.
16. VULNERABILITY MANAGEMENT
The Company shall conduct:
- Vulnerability assessments;
- Penetration testing (VAPT);
- Configuration reviews;
- Patch management;
- Security audits;
- Application security testing.
Critical vulnerabilities shall be remediated immediately.
17. INCIDENT MANAGEMENT
PROSPER shall maintain an Incident Response Framework for:
- Data breaches;
- Cyber attacks;
- Fraud incidents;
- Malware infections;
- Unauthorized access;
- System compromises.
Incident management shall include:
- Detection;
- Investigation;
- Containment;
- Eradication;
- Recovery;
- Reporting.
18. DATA BREACH MANAGEMENT
In the event of a data breach:
- Immediate containment measures shall be taken;
- Customers may be notified where required;
- Regulatory authorities may be informed;
- Forensic investigations may be conducted;
- Corrective measures shall be implemented.
All breaches shall be documented.
19. BUSINESS CONTINUITY AND DISASTER RECOVERY
PROSPER shall maintain:
- Business Continuity Plan (BCP);
- Disaster Recovery Plan (DRP);
- Backup systems;
- Alternate infrastructure;
- Recovery testing procedures.
Periodic testing shall be conducted.
20. PHYSICAL SECURITY
Physical security controls shall include:
- Access cards;
- Visitor management;
- CCTV surveillance;
- Secure server rooms;
- Environmental controls;
- Equipment protection.
21. THIRD-PARTY SECURITY
All third-party vendors shall undergo:
- Security due diligence;
- Risk assessment;
- Compliance reviews;
- Contractual security obligations;
- Periodic monitoring.
Third parties shall maintain adequate security controls.
22. EMPLOYEE SECURITY
Employees shall:
- Sign confidentiality agreements;
- Undergo background verification;
- Complete security training;
- Follow security procedures;
- Report incidents immediately.
23. SECURITY AWARENESS TRAINING
Regular training shall be conducted on:
- Information security;
- Cyber security;
- Data privacy;
- Phishing attacks;
- Social engineering;
- Fraud prevention;
- Regulatory compliance.
24. LOGGING AND MONITORING
PROSPER shall maintain:
- Audit logs;
- Access logs;
- Transaction logs;
- Security logs;
- System logs;
- Administrative logs.
Logs shall be monitored continuously.
25. RECORD RETENTION
Security records shall be retained for:
- Minimum five (5) years;
- Or longer where required by law.
Records include:
- Audit logs;
- Security incidents;
- Access records;
- Investigation reports;
- Monitoring reports.
26. POLICY VIOLATIONS
Violations of this Policy may result in:
- Warning;
- Suspension;
- Termination;
- Financial penalties;
- Legal proceedings;
- Criminal prosecution.
27. GRIEVANCE AND SECURITY CONTACT
Information Security Officer
Name: Mr. Divyanshu Kumar
Address: CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Email: security@prosper.in
Alternate Email: legal@prosper.in
Phone: +91 9918784000
Working Hours: Monday to Saturday, 10:00 AM – 6:00 PM
28. POLICY REVIEW
This Policy shall be reviewed:
- Annually;
- Following security incidents;
- Upon regulatory changes;
- Upon implementation of new technologies.
29. GOVERNING LAW AND JURISDICTION
This Policy shall be governed by the laws of India.
Any dispute arising under this Policy shall be subject to the exclusive jurisdiction of the competent courts situated at Lucknow, Uttar Pradesh.
30. EFFECTIVE DATE
This Policy shall become effective on 01 July 2026 and shall remain valid until amended, replaced, or withdrawn.
31. DECLARATION
This Information Security Policy has been approved by the management of PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED and shall be binding upon all employees, agents, distributors, merchants, service providers, and business partners associated with PROSPER.
FOR AND ON BEHALF OF
PROSPER PROFESSIONAL DEVELOPMENT LIFE PRIVATE LIMITED
Registered Office:
CC Road, Tamkuhi Road, Kushinagar, Uttar Pradesh, 274406
Email: legal@prosper.in
Phone: +91 9918784000
Website: www.prosper.in
"PROSPER – Securing Financial Inclusion Through Trust, Technology, and Compliance."
