Information Security Policy

Unison Insurance Broking Services Private Limited (“Unison” or “the Company”) is an IRDAI-licensed composite insurance broker committed to placing the security and privacy of client information at the core of its operations. This Information Security Policy (“Policy”) sets out the management framework, principles, and obligations that govern how Unison protects information assets across all its operations.

This Policy applies to:

• All employees, directors, officers, and contract staff of Unison Insurance Broking Services Pvt. Ltd.
• All third-party service providers, vendors, and technology partners who process, store, or transmit Unison’s or its clients’ information on the Company’s behalf
• All information systems, applications, infrastructure, and data repositories — whether on-premises, cloud-hosted, or hybrid — used to deliver Unison’s insurance broking services
• All physical offices, branch locations, and remote working environments where Unison’s information is accessed or processed

Unison’s information security programme is anchored on the following core principles:

All information handled by Unison is classified according to its sensitivity and the potential impact of unauthorised disclosure. The four-tier scheme below governs labelling, handling, storage, and disposal:

Access to information systems and data is governed by the principle of least privilege — users are granted only the minimum access required to perform their job functions.

• All access to Unison systems requires unique individual credentials; shared or generic accounts are prohibited except for supervised service accounts
• Multi-factor authentication (MFA) is mandatory for all remote access, email systems, cloud platforms, and privileged administrative accounts
• Access rights are reviewed quarterly by system owners and immediately upon role change, transfer, or departure of an employee
• Privileged access (administrator rights) is restricted, logged, and subject to enhanced monitoring at all times
• Session timeouts are enforced on all workstations and applications handling confidential or restricted data
• Physical access to server rooms, network equipment, and document archives is restricted to authorised personnel and logged via access control systems

Unison collects, processes, and stores personal data of policyholders, claimants, and employees in its capacity as an insurance intermediary. The Company is committed to protecting this data in accordance with the Digital Personal Data Protection (DPDP) Act 2023 and IRDAI guidelines.

• Personal data is collected only for specified, legitimate insurance-related purposes and is not processed beyond those purposes without the data principal’s consent
• All personal data is stored within India or in jurisdictions approved under applicable law; cross-border transfers require appropriate safeguards
• Data subjects (policyholders, claimants, employees) have the right to access, correct, and request erasure of their personal data, subject to legal retention obligations
• Personal data is retained only for as long as necessary for the purpose of collection or as required by IRDAI record-keeping norms (minimum 5 years for policy records)
• Hard copy documents containing personal data are stored in locked cabinets and disposed of by secure cross-cut shredding
• Electronic personal data at rest is encrypted using AES-256 or equivalent; data in transit uses TLS 1.2 or higher
• Privacy impact assessments are conducted before launching new data processing activities or systems

Unison implements defence-in-depth security architecture across its technology environment to prevent, detect, and respond to cyber threats.

• Perimeter firewalls, intrusion detection/prevention systems (IDS/IPS), and web application firewalls (WAF) protect all internet-facing systems
• Network segments are segregated by function (client-facing, internal, administrative, DMZ) to limit lateral movement in the event of a breach
• All endpoints are protected by enterprise-grade antivirus/anti-malware software with real-time scanning and automatic definition updates
• Vulnerability assessments are conducted quarterly; penetration tests by qualified third-party professionals are performed at least annually
• Security patches are applied within 30 days of release for standard vulnerabilities and within 72 hours for critical/zero-day vulnerabilities
• All system and security logs are retained for a minimum of 12 months and monitored via a Security Information and Event Management (SIEM) system
• Email is protected by anti-spam, anti-phishing, and DMARC/DKIM/SPF controls to prevent business email compromise
• USB and removable media usage on corporate systems is restricted and logged; data transfer to personal devices is prohibited

Unison maintains a formal Information Security Incident Management procedure to ensure that security incidents — including data breaches, system compromises, and service disruptions — are identified, contained, investigated, and reported in a timely and structured manner.

• All employees are required to report suspected security incidents immediately to the Information Security team via the designated incident reporting channel
• A documented Incident Response Plan (IRP) with defined roles, escalation paths, and response playbooks is maintained and tested annually
• Personal data breaches meeting the threshold under the DPDP Act 2023 will be reported to the Data Protection Board of India within the prescribed timelines
• Significant cyber incidents are reported to CERT-In within 6 hours of detection in accordance with the CERT-In Directions 2022
• IRDAI is notified of cyber incidents impacting the Company’s ability to service policyholders or compromising client data, as required under applicable guidelines
• Post-incident reviews are conducted for all major incidents to identify root causes, improve controls, and prevent recurrence

Unison maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure that critical insurance broking services — including policy issuance, claim support, and client communications — remain operational during and after a disruptive event.

• Critical systems and data are backed up daily with off-site or cloud replication; backup integrity is tested monthly
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are defined for all critical systems and reviewed annually
• BCP/DRP exercises including tabletop simulations and partial failover tests are conducted at least once a year
• Alternative working arrangements (remote access, secondary offices) are documented and tested to maintain operational continuity during facility unavailability

Unison recognises that third-party relationships introduce supply-chain risk. All vendors, service providers, and business associates who access Unison’s systems or process client data are subject to rigorous security evaluation and contractual obligations.

• Security and privacy requirements are embedded in all vendor contracts via Data Processing Agreements (DPAs) and security annexures prior to engagement
• Vendors processing Restricted or Confidential information are assessed against a security questionnaire before onboarding and periodically thereafter
• Third-party access to Unison systems is time-limited, monitored, and revoked immediately upon contract expiry or termination
• Cloud service providers are evaluated for data residency, encryption standards, SOC 2 / ISO 27001 certification, and incident notification commitments
• Vendors must notify Unison within 24 hours of any security incident that may affect Unison’s data or systems

Compliance with this Policy is mandatory for all personnel within its scope. Unison takes policy violations seriously and will respond proportionately to the severity of the breach.

• Violations by employees may result in disciplinary action up to and including termination of employment, without prejudice to any civil or criminal liability arising from the breach
• Violations by third parties may result in contract suspension, termination, and recovery of damages as permitted by the applicable agreement
• Exceptions to this Policy must be formally documented, risk-assessed, and approved by the CISO; exceptions are time-limited and subject to compensating controls
• Compliance is monitored through internal audits, access reviews, security assessments, and SIEM alerts; findings are reported to senior management quarterly

This Policy is a living document. It is formally reviewed annually by the CISO and the Compliance team, or earlier in response to:

• Significant changes in the regulatory landscape (IRDAI guidelines, DPDP Rules, CERT-In directions)
• Material changes in Unison’s business model, technology environment, or risk profile
• Lessons learnt from security incidents, audit findings, or third-party assessments
• Emerging threats identified through threat intelligence monitoring

Approved revisions are communicated to all stakeholders within 30 days of sign-off. The most current version of this Policy is always available on the Unison Insurance website and the internal employee portal.