Ref: AOL-IS-POL-010

Data Security Policy

Version: 1.0
Owner: CISO
Review Frequency: Half – Yearly
Last reviewed on: Sep 23, 2024
Classification: INTERNAL

Angel One
6th Floor, Ackruti Star, Copyright © Angel One
Central Road, MIDC, All rights reserved.
Andheri East, Mumbai - 400093

No part of this document may be reproduced in any form, including photocopying or by transmission electronically to any computer,
without prior written consent.
AOL-IS-POL-010-Data Security Policy

Document Control

Version Author Approved by Date Approved

1.0 CISO Technology & Cyber Security Committee Sept 2024

INTERNAL Page 2 of 12
AOL-IS-POL-010-Data Security Policy

Table of Contents

1. INTRODUCTION ................................................................................................................................. 4
2. PURPOSE .......................................................................................................................................... 4
3. SCOPE............................................................................................................................................... 4
4. ROLES AND RESPONSIBILITIES ........................................................................................................ 4
5. POLICY STANDARD ........................................................................................................................... 6
5.1. DATA DEFINITION .......................................................................................................................... 6
5.2. DATA CLASSIFICATION & LABELLING ................................................................................................. 7
5.3. LIFE CYCLE OF DATA...................................................................................................................... 8
5.3.1. Data Creation and Collection ................................................................................................... 8
5.3.2. Data Storage ........................................................................................................................... 9
5.3.3. Data Use and Processing......................................................................................................... 9
5.3.4. Data Sharing and Transmission .............................................................................................. 9
5.3.5. Data Retention requirements ................................................................................................ 10
5.3.6. Data Disposal ........................................................................................................................ 10
5.3.7. Data Breach Management ..................................................................................................... 10
5.4. SECURE DATA BACKUP .................................................................................................................. 10
6. POLICY EXCEPTIONS AND VIOLATIONS ............................................................................................ 11
6.1. POLICY VIOLATION REPORTING MATRIX ............................................................................................. 11
7. DOCUMENT CHANGE HISTORY ......................................................................................................... 12

INTERNAL Page 3 of 12
AOL-IS-POL-010-Data Security Policy

1. Introduction
In the current digital environment, data represents one of Angel One’s most valuable
assets, making its protection essential for maintaining trust, ensuring regulatory
compliance, and mitigating risks such as cyberattacks, data breaches, and
unauthorized access. This Data Security Policy establishes a framework for
safeguarding sensitive and confidential information, ensuring its confidentiality,
integrity, and availability always.

2. Purpose
The purpose of this policy is to define the requirements and practises for protecting
data throughout its entire lifecycle—from creation and storage to use, sharing, and
disposal.

3. Scope
This policy applies to all data created, stored, processed, or transmitted by the
organization, including electronic and physical formats, across all systems and
platforms.

4. Roles and Responsibilities

Roles Responsibilities

• Establish directives for safeguarding Angel One data throughout

the data lifecycle.
• Oversee the compliance efforts to ensure adherence legal,
CISO
regulatory and other data protections and privacy requirements.
• Conduct periodic reviews for compliance with defined policy
controls.
• Implement and manage adequate technical controls to protect
data in transit and at rest and at all stages in data life cycle.
Technology team • Ensure proper configuration and maintenance of IT systems and
software.
• Manage secure disposal of IT equipment.

• Define the recommended data protection guidelines in alignment

to legal, regulatory and data protection best practises.
InfoSec Team
• Review the adequacy of the existing guidelines.
• Impart appropriate data protection awareness trainings.

• Take necessary steps towards inculcating the data protection

culture within the departments.
Department Heads
• Oversee and guide the data classification processes within the
department.

INTERNAL Page 4 of 12
AOL-IS-POL-010-Data Security Policy

• Ensure data retention and destruction policies are followed at

department level.
• Review the data transfer request with third parties.
• Understand and abide by the organisational data protection
policies and procedures.
• Responsibly handle the business data ensuring the confidentiality,
integrity and availability.
Employees
• Promptly report suspected or actual data breaches to the
Information security team and line management.
• Participate in mandatory data protection training and awareness
programs.
• Comply with the data protection requirements outlined in their
contracts with the Angel One.
• Implement appropriate security measures to protect data they
Third Parties
handle on behalf of Angel One.
• Promptly report any data security incidents or breaches to Angel
One as per the agreed protocols.

INTERNAL Page 5 of 12
AOL-IS-POL-010-Data Security Policy

5. Policy Standard
Angel One follows a structured approach to managing data by safeguarding against
unauthorised access, loss or misuse, thereby ensuring the trust and confidence of
our clients, stakeholders, and regulatory bodies. Ensuring security throughout the
data lifecycle is essential for protecting data from unauthorized access, loss, or
corruption at every stage—from collection to disposal.
5.1. Data Definition

Defining data is crucial essential for ensuring clarity, consistency, and accuracy in
data handling and usage. It also supports regulatory compliance, enhances data
quality, and improves overall data management practices, contributing to more
effective decision-making and operational efficiency.

Data Type Other names What it means?

Personal Data Personal Data (PD) or information that when used alone or
with other relevant data, can identify an
Personally Identifiable
individual.
Information (PII) or
PII may contain direct identifiers (e.g.
Personal Information passport information) that can identify
(PI) a person uniquely, or quasi-identifiers
(e.g. race) that can be combined with
other quasi - identifiers (e.g. date of
birth) to successfully recognize an
individual.

Sensitive Personal Data Sensitive Personal Information, which if lost,

Data (SPD) or compromised, or disclosed without
authorization, could result in
Sensitive Personal
substantial harm, embarrassment,
Information (SPI)
inconvenience or unfairness to an
individual.
Usually such information about a
person that would, in the ordinary
course of events, be known only to the
person or members of the family, or
friends , of the person.

Authentication Data Sensitive Information that is validated for

authentication data authenticating any person / application
(SAD) before allowing access to authorized
service (e.g. PIN, Password,
passphrase, OTP, thumb impression,
IRIS scan, face scan, etc)

INTERNAL Page 6 of 12
AOL-IS-POL-010-Data Security Policy

Financial Data Transaction Data or Data related to an individual’s or

Financial history organization’s financial activities and
status

Angel One, being a regulated entity, also adheres to the below definitions of
regulatory data wherever applicable –
Regulatory Data -
1. Data related to core and critical activities of the RE, as well as any supporting/ancillary
data impacting core and critical activities.
2. Data w.r.t to communication between investors and REs through applications (e.g.,
Chat communication, messages, emails etc.).
3. Data that is required by the laws/ regulations/ circulars, etc. issued by SEBI and Govt.
of India from time to time.
4. Data that is deemed necessary or sensitive by the RE/ SEBI/ central or state
government.
IT and Cyber Security Data –
Logs and metadata related to IT systems and their operations, excluding –
1. Any Regulatory Data, and
2. Sensitive data such as internal network architecture, vulnerability details, details of
admin/ privileged users, password hashes, system configuration, etc.

5.2. Data Classification & Labelling

Information classification is the process of classifying information assets based on

their business value, from the perspective of Confidentiality, Integrity and Availability
(CIA). The purpose of classification is to determine the required level of security for
the information asset and to enable the owner / custodian / users to protect
information appropriately during storage, transmission and processing.
All Angel One information shall be classified as per the classification scheme defined
in below table -

Data Type Definition

Public Public information is considered to have no confidentiality value and

it is intended to be brought to the notice of general public. Public
information includes various services, marketing brochures,
promotional literature, advertising media and the company's
website.

INTERNAL Page 7 of 12
AOL-IS-POL-010-Data Security Policy

Internal Internal Information is any information that can be freely circulated

within the company and contractors / vendors supporting the
company without any impact to the company. Sharing these
documents outside of the company to external world, may not have
major impact to the company but involve some administrative
inconveniences.
Example of "Internal" information may include but not limited to
policies, processes, procedures, internal memos, templates,
employee communications, etc.

Confidential Confidential Information is sensitive to internal and external

exposure, the unauthorized disclosure of which would cause
administrative embarrassment or difficulty.
Examples of confidential information include but are not limited to
personal data of the Bank customers which should be protected
from breach of

Restricted Restricted Information is highly sensitive to internal and external

exposure. Examples of restricted information include but not limited
to treasury operations, investment portfolios, proposals under
study, future business plans, Board decisions, enquiry or vigilance
reports and reports regarding frauds and irregularities, etc.

Based on the classification levels, classification label shall be applied to all hard copy
and softcopy documents consistent with the information contained in it, except for
the public information.
Wherever possible, all information, data, documents shall be clearly labelled so that
all the users are aware of the ownership and classification of the information.
5.3. Life Cycle of Data

Data Creation and Collection

• Angel One shall implement adequate security controls to safeguard data from the moment it
is created or collected. Data collection can be directly from the data owner, from third parties,
or other business units or regulatory bodies, etc.
• Strict access controls shall be implemented to the data collection stage to prevent
unauthorised data entry or tampering.
• Data protection principles like consent management, purpose limitation and declaring the
scope of data collection activity shall be communicated to the individuals whose data shall be
collected.

INTERNAL Page 8 of 12
AOL-IS-POL-010-Data Security Policy

Data Storage
Data during storage shall be protected from unauthorized access, tampering, loss or
corruption.
• Data at rest shall be protected using appropriate techniques like encryption, tokenization,
anonymization as applicable based on the data type.
• Strong encryption protocols shall be used encrypted using industry-standard encryption
protocols to protect against unauthorized access. Refer Cryptographic Security Policy for the
approved ciphers.
• Role based access controls shall be implemented to restrict access to stored data
based on the principle of least privilege. All accesses shall require authentication
and authorization.
• Data segmentation shall be explored to store sensitive data separately from less
sensitive data to limit the attack exposure.
• Adequate security procedures shall be built in the data backup and restoration process.

Data Use and Processing

Data in use shall be secured to ensure that the data is used for the intended purpose only
by restricting access on least privilege principle.
• User shall be granted access on least privilege principle, ensuring they have access
to the data necessary for completion of their job role.
• Data anonymization, tokenization, masking shall be implemented while displaying
sensitive data on screen or printed.
• Adequate logging and monitoring shall be implemented to detect any unusual
activity or threat.
• Measures shall be taken to ensure the integrity of data during processing, including
validation checks and secure transmission protocols.

Data Sharing and Transmission

Data during transit shall be protected to ensure it is not exposed or tampered during
transmission.
• Data transmitted over networks shall be encrypted to protect against interception
and unauthorized access. Usage of secure email, encrypted files, password
protection, etc. as applicable.
• Data sharing with third parties shall occur through secure channels, such as VPNs
or secure file transfer protocols or https channels.
• Data sharing with third parties shall be governed by formal agreements that
stipulate security and privacy requirements.

INTERNAL Page 9 of 12
AOL-IS-POL-010-Data Security Policy

Data Retention requirements

Data shall be retained according to organizational policies and legal or regulatory
requirements. Retention periods shall be documented and enforced.

Data Disposal
• Data which is no longer required to be retained, shall be disposed using secure disposal
process.
• Data disposal methods shall ensure that data cannot be reconstructed or retrieved. This
includes (but not limited to) secure deletion, physical destruction, or shredding of
storage media.
• Disposal activities shall be documented, including the method used and confirmation of
destruction. Post disposal verification shall be performed, wherever technically
possible.

Data Breach Management

• Procedures shall be in place to respond to data breaches, including containment,
investigation, notification, and remediation. Refer Information Security Incident
Management policy and Cyber Crisis Management Plan for more details.
• Regulatory and affected parties shall be notified as required by law and organizational
policies in the event of a data breach.
5.4. Secure Data Backup

• Angel One shall have documented backup and recovery procedures for critical
information like (but not limited to) – application source code and configuration files,
data files, system software, configuration of network and security devices, etc.
• Backup schedules shall be defined and operational monitoring procedure shall be in
place to assess the completeness of the backup process.
• Data Owners shall define the backup retention requirements to satisfy the business,
regulatory and legal requirements.
• Backup media, if used, shall be adequately protected in transit and storage.
• Data Backup shall be periodically tested for restoration of original content in usable
form.

INTERNAL Page 10 of 12
AOL-IS-POL-010-Data Security Policy

6. Policy Exceptions and Violations

• In case of any deviation against policy guidelines, Risk Acceptance form should be submitted
to CISO for approval.
• Please refer the Angel One-Risk Acceptance Policy for Risk acceptance form and process to
be followed
6.1. Policy Violation Reporting Matrix

Any violation to the Security policy should be reported to the Information Security Team.
Policy violation reporting matrix as given below.

Policy Violation Reporting Structure

Level Role Email ID

Level 1 Employee’s Reporting Manager <Reporting Manager Email ID>

Level 2 ISMS Team / Coordinator isms@angelbroking.com

Level 3 CISO ciso@angelbroking.com

INTERNAL Page 11 of 12
AOL-IS-POL-010-Data Security Policy

7. Document Change History

Previous Current Revision Month Summary of Changes

Version Version
0 1.0 Sept 2024 New Policy created as per ISMS requirement and policy
restructuring activity

INTERNAL Page 12 of 12