Data Protection & Security Policy

Security Framework & Compliance / सुरक्षा फ्रेमवर्क आणि अनुपालन

Last updated: 29 November 2025

1. Introduction / परिचय

At कुरुकसारथी, operated by Blemense Technologies, we implement comprehensive data protection and security measures to safeguard all information entrusted to us. This policy outlines our security framework, compliance standards, and protection mechanisms for election management data.

We are committed to maintaining the highest standards of data security and compliance with Indian laws, including the Information Technology Act 2000, Digital Personal Data Protection Act 2023, and related regulations.

2. Security Framework / सुरक्षा फ्रेमवर्क

2.1 Multi-Layered Security Approach

Our security framework includes:

  • Infrastructure security and network protection
  • Application-level security controls
  • Data encryption at rest and in transit
  • Identity and access management
  • Monitoring and incident response
  • Regular security assessments and audits

2.2 Security Standards

We follow industry-standard security frameworks including ISO 27001, NIST Cybersecurity Framework, and OWASP guidelines to ensure comprehensive protection of all data and systems.

3. Encryption Standards / एन्क्रिप्शन मानके

3.1 Data at Rest Encryption

Database and storage encryption:

  • AES-256 encryption for all stored data
  • Transparent Data Encryption (TDE) for databases
  • Encrypted backups with separate key management
  • File-level encryption for sensitive documents
  • Key rotation every 90 days

3.2 Data in Transit Encryption

Network and communication security:

  • TLS 1.3 for all web communications
  • HTTPS enforcement across all endpoints
  • API encryption for data transfers
  • VPN connections for administrative access
  • Certificate pinning for mobile applications

3.3 Key Management

Encryption keys are managed using Hardware Security Modules (HSMs) and cloud-based key management services. Keys are never stored in plain text and access is restricted to authorized personnel only.

4. Access Controls / प्रवेश नियंत्रण

4.1 Identity and Access Management

Access control measures:

  • Multi-factor authentication (MFA) for all accounts
  • Role-based access control (RBAC) with least privilege principle
  • Single Sign-On (SSO) integration for enterprise customers
  • Session management with automatic timeout
  • Password policies with complexity requirements

4.2 Administrative Access

  • Administrative access is limited to authorized personnel only
  • All administrative actions are logged and monitored
  • Privileged access requires additional authentication
  • Regular access reviews and permission audits
  • Immediate revocation of access upon role changes

4.3 User Access Levels

Admin Level

  • Full system access
  • User management
  • Data export/import
  • System configuration

Booth Incharge

  • Booth-level data access
  • Voter data management
  • Reporting capabilities
  • Limited admin functions

Karyakarta

  • Basic voter data access
  • Data entry capabilities
  • Communication tools
  • Activity reporting

5. Network Security / नेटवर्क सुरक्षा

5.1 Infrastructure Security

Network protection measures:

  • Firewall protection with stateful inspection
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • DDoS protection and traffic filtering
  • Network segmentation to isolate sensitive systems
  • Regular vulnerability scanning and penetration testing

5.2 Cloud Security

Our cloud infrastructure is hosted on certified platforms with enterprise-grade security. We implement additional security layers including virtual private clouds, security groups, and network access control lists.

6. Monitoring and Logging / मॉनिटरिंग आणि लॉगिंग

6.1 Security Monitoring

Continuous monitoring includes:

  • Real-time threat detection and response
  • User activity monitoring and anomaly detection
  • System performance monitoring and alerting
  • Security event correlation and analysis
  • 24/7 security operations center monitoring

6.2 Audit Logging

  • All user actions and system events are logged
  • Logs are stored securely with tamper-proof mechanisms
  • Regular log analysis and security incident detection
  • Compliance with data retention requirements
  • Forensic capabilities for security investigations

7. Compliance Standards / अनुपालन मानके

7.1 Indian Legal Compliance

We comply with:

  • Information Technology Act 2000 and amendments
  • Digital Personal Data Protection Act 2023
  • Information Technology (Reasonable Security Practices) Rules 2011
  • Election Commission of India guidelines
  • State-specific data protection regulations

7.2 International Standards

  • ISO 27001:2013 Information Security Management System
  • NIST Cybersecurity Framework
  • OWASP Application Security Guidelines
  • PCI DSS for payment processing (where applicable)
  • GDPR principles for data protection transparency

8. Incident Response / घटना प्रतिसाद

8.1 Security Incident Response Plan

Our response process includes:

  • Immediate containment and threat isolation
  • Impact assessment and damage evaluation
  • User notification within 72 hours
  • Regulatory reporting as required by law
  • Recovery and restoration procedures
  • Post-incident analysis and improvement

8.2 Breach Notification

In case of a data breach, we will notify affected users and relevant authorities as required by the DPDP Act 2023. Our notification will include details about the breach, potential impact, and steps being taken to address the situation.

9. Data Backup and Recovery / डेटा बॅकअप आणि पुनर्प्राप्ती

9.1 Backup Strategy

  • Automated daily backups with point-in-time recovery
  • Geographically distributed backup storage
  • Encrypted backup data with separate key management
  • Regular backup testing and restoration procedures
  • Retention policies aligned with legal requirements

9.2 Disaster Recovery

We maintain a comprehensive disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Our infrastructure is designed for high availability with redundant systems and failover capabilities.

10. Third-Party Security / तृतीय पक्ष सुरक्षा

10.1 Vendor Security Assessment

All third-party service providers undergo rigorous security assessments before integration. We ensure that vendors maintain appropriate security standards and comply with our data protection requirements.

10.2 Data Processing Agreements

  • Strict data processing agreements with all vendors
  • Regular security audits of third-party services
  • Data minimization and purpose limitation principles
  • Right to audit vendor security practices
  • Immediate termination for security violations

11. Security Training / सुरक्षा प्रशिक्षण

11.1 Employee Security Awareness

Training programs include:

  • Regular security awareness training for all employees
  • Phishing simulation exercises and testing
  • Data protection best practices and procedures
  • Incident response training and drills
  • Compliance training on relevant laws and regulations

11.2 User Education

We provide security guidance and best practices to our users through documentation, training materials, and regular security updates to help them maintain secure usage of the platform.

12. Policy Updates / धोरण अद्यतने

This Data Protection & Security Policy is reviewed and updated regularly to reflect changes in technology, threats, and regulatory requirements. Users will be notified of significant changes via email and platform notifications.

13. Contact Information / संपर्क माहिती

For security concerns, data protection inquiries, or to report security incidents:

Chief Information Security Officer
Blemense Technologies

📞 +91-9730031956

✉️ security@blemense.tech

🌐 www.kuruksaarthi.com

Security Incident Hotline: Available 24/7 for critical security issues
Response Time: Critical incidents - 1 hour, General inquiries - 24 hours