Effective Date: January 1, 2026

1. Introduction and Scope

This policy sets out the rules and guidelines for the secure and appropriate use of QuikkRed's Information Technology (IT) resources. It applies to all employees, contractors, vendors, and any third parties who have access to QuikkRed's IT infrastructure, systems, applications, and data.

Objective: To protect QuikkRed's sensitive data, systems, and assets from unauthorized access, misuse, disclosure, disruption, modification, or destruction, while ensuring compliance with applicable laws and regulatory requirements including RBI guidelines for NBFCs.

2. Information Security Management

2.1 Data Classification

All data handled by QuikkRed shall be classified into the following categories:

•Confidential: Highly sensitive financial, customer (KYC, transactional), or proprietary business data. Access restricted to authorized personnel only.
•Internal: Operational data, non-public communications, internal policies, and procedures. Accessible to employees on a need-to-know basis.
•Public: Information intended for general release, such as marketing materials, press releases, and publicly available policies.

2.2 Access Control

•Principle of Least Privilege: Users shall be granted the minimum level of access necessary to perform their job functions.
•User Authentication: All users must authenticate using unique credentials before accessing company systems.
•Strong Passwords: Passwords must be at least 12 characters long, contain a mix of uppercase, lowercase, numbers, and special characters, and be changed every 90 days.
•Multi-Factor Authentication (MFA): MFA is mandatory for accessing critical systems, remote access, and administrative functions.

2.3 Encryption

•All confidential customer data must be encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption).
•Laptop hard drives storing confidential data must use full-disk encryption.
•Encryption keys must be stored securely and managed through a centralized key management system.

3.1 General Usage

Company IT resources are provided primarily for business purposes. Limited personal use is permitted provided it does not:

•Interfere with work performance or productivity
•Consume excessive network bandwidth
•Violate any company policies or applicable laws
•Compromise system security or integrity

3.2 Software and Licensing

•Only licensed and authorized software approved by the IT Department may be installed on company devices.
•Users are prohibited from downloading, installing, or using pirated, unlicensed, or unauthorized software.
•All software must be kept updated with the latest security patches.

3.3 Email and Internet

•Company email is for professional use. Users must not use company email for personal business, chain letters, or spam.
•Users must exercise caution when opening email attachments or clicking links from unknown sources to prevent phishing and malware attacks.
•Access to inappropriate, offensive, or non-work-related websites is prohibited.

4. Remote Access and Mobile Device Management (MDM)

4.1 Remote Access (VPN)

•All remote access to QuikkRed's internal network must be conducted via a secure Virtual Private Network (VPN) connection.
•VPN access requires multi-factor authentication and is subject to logging and monitoring.
•Users must ensure their home networks are secure and not use public Wi-Fi for accessing sensitive company data.

4.2 Bring Your Own Device (BYOD)

•Personal devices used for work purposes must be registered with and governed by the Mobile Device Management (MDM) solution.
•BYOD devices must have up-to-date antivirus software, screen lock enabled, and encryption activated.
•QuikkRed reserves the right to remotely wipe company data from personal devices in case of loss, theft, or employment termination.

5. Incident Management and Disaster Recovery

5.1 Security Incident Response

•All security incidents must be reported immediately to the IT Security team and formally documented.
•The Incident Response Team will investigate, contain, eradicate, and recover from security incidents following established procedures.
•Post-incident reviews will be conducted to identify root causes and implement preventive measures.

5.2 Data Backup

•Critical business data must be backed up daily to secure, off-site locations.
•Backup integrity must be verified regularly through restoration tests.
•Backup data must be encrypted and access-controlled.

5.3 Disaster Recovery (DR)

•A comprehensive Disaster Recovery Plan (DRP) shall be maintained and documented.
•The Disaster Recovery Plan must be tested at least once every six months through tabletop exercises or full-scale drills.
•Recovery Time Objective (RTO) and Recovery Point Objective (RPO) shall be defined for critical systems.

6. Roles and Responsibilities

Role	Responsibilities
All Users	Comply with this policy and all related security procedures. Report any security incidents or suspicious activities immediately. Protect credentials and not share passwords. Complete mandatory security awareness training.
IT Department	Implement and maintain technical security controls. Manage user access and authentication systems. Monitor systems for security threats. Conduct regular security assessments and vulnerability scans. Maintain and test backup and disaster recovery systems.
Chief Information Security Officer (CISO)	Develop and maintain information security policies and procedures. Oversee the implementation of security controls across the organization. Report to the Board on security posture and incidents. Ensure compliance with regulatory requirements. Lead security incident response and investigations.

Chief Information Security Officer (CISO): Mr. Rohan Verma

Contact Email: ciso@quikkred.com

7. Policy Review and Compliance

•This policy shall be reviewed annually or whenever there are significant changes to the IT environment, regulatory requirements, or business operations.
•Violations of this policy may result in disciplinary action, up to and including termination of employment.
•All employees must acknowledge receipt and understanding of this policy upon joining and annually thereafter.

Effective Date: January 1, 2026

1. Introduction and Scope

2. Information Security Management

2.1 Data Classification

All data handled by QuikkRed shall be classified into the following categories:

•Confidential: Highly sensitive financial, customer (KYC, transactional), or proprietary business data. Access restricted to authorized personnel only.
•Internal: Operational data, non-public communications, internal policies, and procedures. Accessible to employees on a need-to-know basis.
•Public: Information intended for general release, such as marketing materials, press releases, and publicly available policies.

2.2 Access Control

•Principle of Least Privilege: Users shall be granted the minimum level of access necessary to perform their job functions.
•User Authentication: All users must authenticate using unique credentials before accessing company systems.
•Strong Passwords: Passwords must be at least 12 characters long, contain a mix of uppercase, lowercase, numbers, and special characters, and be changed every 90 days.
•Multi-Factor Authentication (MFA): MFA is mandatory for accessing critical systems, remote access, and administrative functions.

2.3 Encryption

•All confidential customer data must be encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256 encryption).
•Laptop hard drives storing confidential data must use full-disk encryption.
•Encryption keys must be stored securely and managed through a centralized key management system.

3.1 General Usage

Company IT resources are provided primarily for business purposes. Limited personal use is permitted provided it does not:

•Interfere with work performance or productivity
•Consume excessive network bandwidth
•Violate any company policies or applicable laws
•Compromise system security or integrity

3.2 Software and Licensing

•Only licensed and authorized software approved by the IT Department may be installed on company devices.
•Users are prohibited from downloading, installing, or using pirated, unlicensed, or unauthorized software.
•All software must be kept updated with the latest security patches.

3.3 Email and Internet

•Company email is for professional use. Users must not use company email for personal business, chain letters, or spam.
•Users must exercise caution when opening email attachments or clicking links from unknown sources to prevent phishing and malware attacks.
•Access to inappropriate, offensive, or non-work-related websites is prohibited.

4. Remote Access and Mobile Device Management (MDM)

4.1 Remote Access (VPN)

•All remote access to QuikkRed's internal network must be conducted via a secure Virtual Private Network (VPN) connection.
•VPN access requires multi-factor authentication and is subject to logging and monitoring.
•Users must ensure their home networks are secure and not use public Wi-Fi for accessing sensitive company data.

4.2 Bring Your Own Device (BYOD)

•Personal devices used for work purposes must be registered with and governed by the Mobile Device Management (MDM) solution.
•BYOD devices must have up-to-date antivirus software, screen lock enabled, and encryption activated.
•QuikkRed reserves the right to remotely wipe company data from personal devices in case of loss, theft, or employment termination.

5. Incident Management and Disaster Recovery

5.1 Security Incident Response

•All security incidents must be reported immediately to the IT Security team and formally documented.
•The Incident Response Team will investigate, contain, eradicate, and recover from security incidents following established procedures.
•Post-incident reviews will be conducted to identify root causes and implement preventive measures.

5.2 Data Backup

•Critical business data must be backed up daily to secure, off-site locations.
•Backup integrity must be verified regularly through restoration tests.
•Backup data must be encrypted and access-controlled.

5.3 Disaster Recovery (DR)

•A comprehensive Disaster Recovery Plan (DRP) shall be maintained and documented.
•The Disaster Recovery Plan must be tested at least once every six months through tabletop exercises or full-scale drills.
•Recovery Time Objective (RTO) and Recovery Point Objective (RPO) shall be defined for critical systems.

6. Roles and Responsibilities

Role	Responsibilities
All Users	Comply with this policy and all related security procedures. Report any security incidents or suspicious activities immediately. Protect credentials and not share passwords. Complete mandatory security awareness training.
IT Department	Implement and maintain technical security controls. Manage user access and authentication systems. Monitor systems for security threats. Conduct regular security assessments and vulnerability scans. Maintain and test backup and disaster recovery systems.
Chief Information Security Officer (CISO)	Develop and maintain information security policies and procedures. Oversee the implementation of security controls across the organization. Report to the Board on security posture and incidents. Ensure compliance with regulatory requirements. Lead security incident response and investigations.

Chief Information Security Officer (CISO): Mr. Rohan Verma

Contact Email: ciso@quikkred.com

7. Policy Review and Compliance

•This policy shall be reviewed annually or whenever there are significant changes to the IT environment, regulatory requirements, or business operations.
•Violations of this policy may result in disciplinary action, up to and including termination of employment.
•All employees must acknowledge receipt and understanding of this policy upon joining and annually thereafter.

IT Security Policy

1. Introduction and Scope

2. Information Security Management

2.1 Data Classification

2.2 Access Control

2.3 Encryption

3.1 General Usage

3.2 Software and Licensing

3.3 Email and Internet

4. Remote Access and Mobile Device Management (MDM)

4.1 Remote Access (VPN)

4.2 Bring Your Own Device (BYOD)

5. Incident Management and Disaster Recovery

5.1 Security Incident Response

5.2 Data Backup

5.3 Disaster Recovery (DR)

6. Roles and Responsibilities

7. Policy Review and Compliance

IT Security Policy

1. Introduction and Scope

2. Information Security Management

2.1 Data Classification

2.2 Access Control

2.3 Encryption

3.1 General Usage

3.2 Software and Licensing

3.3 Email and Internet

4. Remote Access and Mobile Device Management (MDM)

4.1 Remote Access (VPN)

4.2 Bring Your Own Device (BYOD)

5. Incident Management and Disaster Recovery

5.1 Security Incident Response

5.2 Data Backup

5.3 Disaster Recovery (DR)

6. Roles and Responsibilities

7. Policy Review and Compliance