DATA SECURITY POLICY

Data Security Policy – Version 1.1

Effective
Version Coverage Proposed By Reviewed By Approved By Modifications
Date
Abhishek Chiripal S Naga Siddhartha S Vamsi Krishna 1st May
1.0 9 Points New Policy
DGM - HR CHRO CEO 2019

Shreyanka Trivedi Vamsi Krishna 1st January

1.1 13 Points HR System Update
Human Resource CEO 2021

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
2
1. INTRODUCTION
1.1. The purpose of this document is to define the data security policy (Policy) of Vedantu
Innovations Private Limited (Company).
1.2. Confidential Data (as defined hereinafter) is considered as a primary asset of the Company and
is required be protected in accordance with Applicable Laws (as defined hereinafter) by the
Data Users (as defined hereinafter).
1.3. Data protection is the process of preventing unauthorized access to and/or use of Confidential Data
by placing reasonable security standards in place, in accordance with any central, state, provincial,
local or municipal statute, law, common law, ordinance, rule, regulation, order, writ, injunction,
directive, judgment, decree or policy or guideline having the force of law (Applicable Law). Such
protection is necessary because data processing represents a concentration of valuable assets in the
form of information, equipment, and personnel.
1.4. Security compromises or privacy violations may jeopardize the ability of the Company to
provide service, lead to loss in revenue of the Company, violate business contracts, lead to disclosure
of trade secrets, breach of privacy of the customers of the Company and/or reduce goodwill of the
Company.
1.5. This Policy has been written with the following goals in mind:
• To inform all Data Users about their obligation for the protection of all Confidential Data and
manner of handing Confidential Data;
• To ensure the security, integrity, and availability of all Confidential Data;
• To establish the Company’s baseline data security stance and classification scheme; and
• To ensure that Confidential Data is protected in all of its forms, on all media, during all phases
of its Data Life Cycle, from unauthorized or inappropriate access, use, modification,
disclosure, or destruction.
1.6. This Policy defines the Company’s overall security and risk control objectives that we endorse. The
premise for the Policy can be stated as:
“Other than data defined as public, which is accessible to all identified and authenticated users,
all data and processing resources are only accessible on a need-to-know basis to specifically
identified, authenticated, and authorized entities.”

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
3
2. COMPANY’S SECURITY PRINCIPLES
2.1. The Company’s business goals, objectives, and needs for security can be derived from three
principles:
Accountability:
a) All network, system, and application events should be attributable to a specific and unique
individual;
b) It should be possible to attribute a responsible individual to every event through an identification
service and to verify that the individual so assigned has been properly identified through an
authentication service.
In this context identification refers to a security service that recognizes a claim of identity by
comparing a user i.d. offered with stored security information and authentication refers to a
security service that verifies the claimed identity of the user, for example a password; and
c) It must also be possible to trace any event so as to reconstruct the time, place, and circumstances
surrounding it through an audit.

Authorization:

d) All network, system, and application should be secured through access control mechanisms viz. a
security service that allows or denies a user request based on privilege, group information, or
context.
e) Permission may be derived directly from an individual’s identity, or from a job classification or
administrative privilege based on that individual’s identity. The principle of “least privilege”
specifies that individuals only be granted permission for actions needed to perform their jobs;
and
f) Limiting actions to those properly authorized, protects the confidentiality and integrity of
Confidential Data within the Processing Environment (as defined hereinafter). In this context,
confidentiality refers to a security service that prevents disclosure of information to unauthorized
parties while the information is in use or transit or being storage or destroyed and integrity refers
to a security service that guarantees Confidential Data has not been altered, deleted, repeated
and/or rearranged during transmission, storage, processing and/or recovery.
Availability:
g) All permitted activity should operate with reliability;

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
4
 h) Confidential Data necessary to carry out such events must be readily retrieved and correct with
high confidence;
i) All results of an event must be completed, unless the event is aborted in its entirety;
j) The results of an event should not depend in unexpected ways on other concurrent events;
k) The security services themselves must be documented and easily administered; and
2.2. These three principles emphasize the need for security to function properly in
theProcessing Environment. Non-compliance with these principles can have serious, adverse effects on
the Company. In the context of this Policy, the following provides the overall concepts or
security principles for which all Data Users are responsible.
2.3. It is the responsibility of the Company to define the specific mechanisms necessary to support these
principles.

3. SCOPE
3.2. Data classification is necessary to enable the allocation of resources for the protection of Confidential
Data, as well as determining the potential loss and/or damage from the corruption, loss and/or unlawful
disclosure of Confidential Data.
3.3. To ensure the security and integrity of all Confidential Data, the default data classification for any data is
either Confidential Customer Data or Confidential Company Data. The Company shall evaluate and
classify new data types as they enter usage. It may be necessary to develop additional data classifications
as the Company enters new business endeavors.
3.4. This Policy applies to all information which includes data (i.e., a representation of
information, knowledge, facts, concepts and/or instructions), messages, text, images, sound, voice,
codes, computer programmes, software and/or data bases:
a) owned, collected, transferred, stored and/or processed by the Company which is confidential in
nature and that is not to be publicly disclosed, regardless of its economic value. The unlawful
disclosure, use and/or destruction of Confidential Company Data may have adverse effects on the
Company and/or the Data Users and possibly carry significant civil, fiscal and/or criminal liability. The
access to such Type of highly sensitive information is restricted to selected and
authorized Employees. (Confidential Company Data);

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

5
 b) owned, collected, transferred, stored and/or processed by the Company and which derives its
economic value from not being publicly disclosed and the value of which would be destroyed or
diminished if such information were disclosed any other person without the prior consent of the
Company. Such information includes information that the Company is under statutory and/or
contractual obligation to protect. Most of the information would fit this criterion. (Proprietary
Company Data)
c) identifiable to the Company’s customers which is collected, transferred, stored and/or processed by
the Company. This is the kind of information which only authorised Data Users can access. The
disclosure, use, or destruction of this kind of information may have adverse effects on the Company
and the relationship with the Customers, and possibly carry significant liability for both. This is a kind
of Information over which the Company has a custodial responsibility but does not have any
ownership. (Confidential Customer Data); (collectively, the Confidential Company Data, Proprietary
Company Data and Confidential Customer Data is referred to as Confidential Data), that exists in
a Processing Environment (defined hereinafter) and/or in any form other than that in the Processing
Environment, during any part of the Data Life Cycle (defined hereinafter).
3.5. The following entities and/or users are covered by this Policy:
a. Full and/or part-time employees of the Company who have access to and/or process the Confidential
Company Data and/or Confidential Customer Data (Employees);
b. The Company’s vendors, suppliers, agents and/or data processors who have access to and/or process
Confidential Company Data or Confidential Customer Data (Vendors); and
c. Other persons, entities, and/or organizations who have access to and/or process the Confidential
Company Data and/or Confidential Customer Data (Other Third Parties). (collectively referred to as the
Data Users).
3.6. This Policy forms part of the terms and conditions of the contractual agreement between the Company and
each Data User. It shall be deemed that each Data User has read the terms and conditions of this Policy and
confirm that they understand the terms of the Policy and agree to abide by it.
3.7. The Data Users are personally responsible for complying with this Policy and Confidential Data to which
the Data Users have access to and which may only be used in a manner consistent with this Policy. All
Data Users are held accountable for the accuracy, integrity, and confidentiality of the Confidential
Information to which they have access, to the reasonable extent as permitted under Applicable Law.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

6
3.8. It is the responsibility of the Company to facilitate the review of this Policy on an annual basis or as and
when required under Applicable Law. The Chief Technology Officer / Engineering Head, Data Analytics
Head and Legal Department Head of the Company should participate in the annual review of this Policy.
3.9. The nature of specific Confidential Data that exists in the Processing Environment, and the controls that
should apply to these, is dependent upon various factors. This Policy does not mandate or endorse
particular type of data. Rather, the business decision process used to evaluate the inclusion or exclusion
of particular data type should consider those items listed below. Regardless as to the specific type of
data that exists in the Processing Environment, all aspects of this Policy must be enforced. Considerations
for evaluating data content include:

a. Legal and regulatory obligations in the locales in which the Company operates in.

b. Can privacy, confidentiality, security, and integrity of Confidential Data be ensured to the
satisfaction of customers and legal authorities?

c. Is it in line with our business goals and objectives?

d. Do customers require or demand access to specific data content?

e. What rules govern the movement across international boundaries of different data content, and do
we have in place controls to enforce these rules?

4. DATA OWNERSHIP

4.2. The owner of all Confidential Customer Data is the person owner who generates or is assigned ownership
of that Confidential Data. (Data such as public key certificates generated by an external Certificate
Authority but assigned to a specific customer is considered owned by that customer.)

4.3. In order to classify Confidential Data, it is necessary that an owner be identified for all Confidential Data.
The owner of Confidential Customer Data is responsible for classifying their data according to the
classification scheme in this Policy. If an owner cannot be determined for any Confidential Customer
Data, the Company must act as its custodian. The Company is responsible for developing, implementing,
and maintaining procedures for identifying all Confidential Data and associated owners.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
7
5. PROCESSING ENVIRONMENT

5.2. The Company’s processing environment is comprised of the following (Processing Environment):

a. Applications – Application software is system or network-level routines and programs designed by

(and for) Data Users and Customers. It supports specific business-oriented processes, jobs, or
functions. It can be general in nature or specifically tailored to a single or limited number of
functions;

b. Systems – A system is a collection, inter-connection and/or assembly of devices and/or computer

hardware (i.e. any electronic, magnetic, optical or other high speed data processing device and/or
system which performs logical, arithmetic and memory functions by manipulations of electronic
and/or optical impulses) including any input and output support devices, used in conjunction with
computer programmes, electronic instructions, input and output data, application software which
performs logic, arithmetic, data storage, retrieval, communication control and/or other functions
for the purpose of processing, handling, storing, transmitting and/or receiving Confidential Data,
which is used in a production and/or support environment for performing tasks and business
processes; and
c. Networks – A network is defined as two or more Systems connected by a communication medium.
It includes all elements (e.g., routers, switches, bridges, hubs, servers, firewalls, controllers, and/or
other devices) which are used for transferring information between Systems.

6. Data Life Cycle

6.1. The security of Confidential Data can be understood through the use of a data life cycle. The typical cycle
of dealing with Confidential Data is:

a. Confidential Data Generation / Confidential Data Collection;

b. Confidential Data Storage;

c. Confidential Data Usage;

d. Confidential Data Transmission; and

e. Confidential Data Disposal and/or Confidential Customer Data Anonymization (collectively referred
to as Data Life Cycle)

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
8
6.2. The clauses hereinafter provide detailed guidance as to the different phases of the Data Life Cycle.

7. CONFIDENTIAL DATA GENERATION/CONFIDENTIAL DATA COLLECTION

7.1. The Company collects information from its customers (Customers) including name, e-mail address,
educational qualifications, educational grades, standard, contact information for providing the following
services [insert the details of the services provided by the Company] (Services). The Company obtains
Confidential Customer Data in the following manner:

a. User Generated Data Collection – The Customer voluntarily provides information (including name, e-
mail, contact number, grade or class standard, exam details, location) on www.vedantu.com for
availing the Services from the Company;

b. Customer Support Generated Data Collection – The Customer voluntarily provides information
(including name, e-mail, contact number, grade or class standard, exam details, location) to the
Employees via telephonic means for availing the Services from the Company;

c. Social Integration Based Data Collection – The Customer voluntarily permits the Company to access
information (including the name and e-mail address) of the Customer from www.facebook.com
and/or www.google.com for verification purposes and for availing the Services from the Company;
and/or

d. Business Development Based Data Collection – The Customer voluntarily provides information to the
Employees at meetings organized by the Company for carrying out business development activities.

7.2. The Data Users shall not collect and/or require the disclosure of any information from the Customers
unless the:

a. information is collected for a lawful purpose connected with a function or activity of the Company.

b. collection of the information is necessary for the lawful purpose as identified in the consent provided
by the customer of the Company prior to the collection of the information;

c. Customer has the knowledge of the:

• fact that the information is being collected;

• purpose for which the information is being collected;

• intended recipients of the information;

• name and address of the agency which is collecting the information; and

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
9
 • name and address of the agency which will retain the information.

d. the Customer has been provided an option to not provide the Confidential Customer Data.

8. CONFIDENTIAL DATA STORAGE

8.1. The Company uses a dedicated third-party virtual cloud-based data storage system (which is protected
by firewalls, login i.d., passwords, SSL connections, etc.) provided by mLab www.mlab.com and/or any
Other Third Party (Cloud Service Provider) for the storage of Confidential Data. The Company shall at all
times ensure that the Cloud Service Provider provides at least the same level of data protection which is
being adhered by the Company.

8.2. Confidential Data may only be accessed and/or used within the internal network of the Company /
outside the Company’s network as specifically authorized by the Company, on a need-to-know basis, by
the member(s) of the:

a. Data Analytics Team of the Company (as explicitly authorized by the Analytics Head of the
Company);

b. Technical Team of the Company (as explicitly authorized by the Technical Team Leader(s) of the
Company); and/or

c. Vendors and/or Other Third Parties (as explicitly authorised by the Company) for accessing and/or
using Confidential Data by using the following access control mechanisms:

a. unique Data User identifiers;

b. login IDs and passwords;

c. network restrictions; and/or

d. Confidential Data partitioning (each referred to as an Access Control Mechanism).

8.3. The Company shall ensure that a separate account / unique identifier (Data User Account) with a
password is created for each Data User.

8.4. Each Data User may access Confidential Data using the Data User Account with a password and the
Company shall ensure that necessary logs are maintained to determine the time, location and name of
the Data User accessing and/or using the Confidential Information.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.
10
8.5. The Company shall at all times, ensure that Confidential Data stored by the Company and/or transferred
to any Data User and the Processing Environment is kept secure using the International Standard
IS/ISO/IEC 27001 on “Information Technology – Security Techniques –Information Security Management
System – Requirements” or any other reasonable security standards as required under Applicable Law.

8.6. Data Users shall ensure that the Confidential Customer Data shall not be retained for longer than it is
required for the purpose for which the Confidential Customer Data may lawfully be used. However, the
Company and/or the Data User may take steps for anonymizing the Confidential Customer Data in the
manner provided under Clause 11 of this Policy and ensure that anonymized Confidential Customer Data
cannot be recovered / reverse engineered through any manner.

9. CONFIDENTIAL DATA USAGE

9.1. The Company shall from time to time identify certain Employees who shall be authorized to access the
Confidential Customer Data and/or Confidential Company Data. If any other Data User accesses and/or
attempts to access Confidential Data, then such an act shall be deemed to be a breach of the terms of
this Policy.

9.2. Access Control Mechanisms must also be utilized to ensure that only authorized users can
access Confidential Data to which they have been granted explicit access rights.

9.3. Each Data User shall ensure that the Confidential Customer Data is used only for the purpose for which
it is being collected. Further, the Company and each Data User shall permit a Customer to withdraw the
consent provided prior to the collection of the Confidential Customer Data.

9.4. The Company is required to address any discrepancies and grievances of the Customer in regard to their
Confidential Customer Data in a time bound manner. In this regard, the Company shall from time to time
to appoint a grievance officer who shall be responsible for addressing the said grievance expeditiously
but no later than one month from the date of receipt of the grievance.

9.5. The recipients of Confidential Company Data have an obligation to not reveal the contents to any other
person. However, the Confidential Company Data may be shared with any other person only on a need-
to-know basis on receipt of written approval of the senior management of the Company.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

11
 Confidential Company Data shall not be copied and/or transcribed without the authorization from
the identified owner.

9.6. Proprietary Company Information and Confidential Company Information may be copied and distributed
within the Company only to authorized Employees.

10.CONFIDENTIAL DATA TRANSMISSION

10.1. The Company shall permit the disclosure of the Confidential Customer Data only after the relevant
Customer has provided consent or has agreed for the disclosure of the relevant Confidential Customer
Data in a contract between the Customer and the Company.

10.2. On occasion, Confidential Data may need to be released to the Vendors and/or the Other Third Parties.
When a legitimate business reason exists for releasing the Confidential Information, a non-disclosure
agreement (requiring the relevant Vendor and/or the Other Third Party to maintain that Confidential
Data in confidence, restrict its use and prevent dissemination) must be entered into before disclosing
Confidential Data.

10.3. The Company may transfer the Confidential Customer Data to any other person who ensures the same
level of data protection which is being adhered by the Company. However, the said transfer of the
Confidential Customer Data must be necessary for the performance of the contract between the
Company and the Customer or if the Customer has consented for the transfer of such Customer Data.
Further, it is to be noted that Data Users shall not disclose any Confidential Customer Data to any other
person.

10.4. The Company permits Customers to review their Confidential Customer Data and allows for such
Confidential Customer Data to be amended if it is found to be inaccurate or deficient. The Data Users
shall assist the Company in complying with the Customer’s data request, as and when required by the
Company.

10.5. The media used to distribute Confidential Data should be classified so that it can be identified
as confidential and if the media is sent using courier or other delivery method, it should be accurately
tracked.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

12
 11.CONFIDENTIAL DATA DISPOSAL/CONFIDENTIAL DATA ANONYMIZATION
11.1. Access Control Mechanisms must also be utilized to ensure that only authorized Data Users can access
Confidential Data to which they have been granted explicit access rights during the disposal process.

11.2. Where the disposal of Confidential Data requires special techniques, the Company shall develop and
implement procedures to ensure the proper disposal and/or anonymization of such Confidential Data
in accordance with Applicable Law.

12.DOCUMENTATION
12.1. This Policy requires procedures be developed, managed and performed. As such,
written documentation must be developed for all procedures necessary to fulfill this Policy including:

a. The management of all ‘user i.ds’ on all platforms.

b. The management of all access control lists on all platforms.

c. The execution and review of all audit trails.

d. All incident response and reporting.

e. All other tasks necessary to support this Policy.

13. BREACH OF POLICY AND ENFORCEMENT

13.1. Breach of this Policy may have consequences on the Company’s ability to provide services, maintain the
integrity and/or confidentiality. Any act and/or omission by a Data User resulting in a breach of the terms
of this Policy and/or any Applicable Law shall result in a disciplinary action at the discretion of the
senior management of the Company and may at the option of the Company be considered as grounds
for instant termination of the contracted services of the relevant data user.

13.2. Each Data User hereby waives any right and/or claim which it may have against the Company as a result
of the termination under Clause 13.2 of this Policy. Further, the Company shall be entitled to make a
claim against the relevant Data User for the breach of the terms of the Policy.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

13
13.3. Pursuant to the termination under Clause 13.2 of this Policy, the relevant Data User shall indemnify and
hold the Company harmless against losses, damages, costs and/or expenses in relation to and arising
from: Each Data User hereby waives any right and/or claim which it may have against the Company as a result
of the termination under Clause 13.2 of this Policy. Further, the Company shall be entitled to make a claim
against the relevant Data User for the breach of the terms of the Policy.

13.4. Pursuant to the termination under Clause 13.2 of this Policy, the relevant Data User shall indemnify and hold
the Company harmless against losses, damages, costs and/or expenses in relation to and arising from:

a. a breach of any clause of this Policy;

b. any liability arising as a result of the breach of the terms of the Policy; and/or any liability arising from
the relevant Data User having committed and/or engaged in any fraudulent act and/or omission in
connection to the services provided under the relevant agreement with the company.

Data Security Policy | Confidential | No part of this document may be circulated or reproduced in part or in full without the explicit, written
permission of the top management representative of Vedantu Innovations Pvt. Ltd.

14
15