Trust at Kapture

AI Principles

At Kapture CX, we are committed to the responsible, transparent, and ethical use of Artificial Intelligence in all our products and operations. Our AI governance framework aligns with ISO/IEC 42001:2023, the European Union Artificial Intelligence Act, and the RBI’s Framework for Responsible use of AI and India AI Governance Guidelines. These frameworks guide us in ensuring that every AI driven capability we deploy is trustworthy, lawful, explainable, and secure.

Our AI Principles:

Ethical Use

At Kapture CX, we ensure that every use of Artificial Intelligence (AI) aligns with the highest standards of ethics, responsibility, and transparency. We are committed to maintaining human oversight and accountability across the entire AI lifecycle from design and data collection to deployment and monitoring. All AI driven operations are governed by internal ethical standards, data protection laws, and frameworks such as the EU AI Act, ISO/IEC 42001, and India’s Safe and Trusted AI Guidelines. By embedding ethical use as a core principle, we ensure that innovation at Kapture CX remains responsible, transparent, and always in service of our customers’ trust and societal good.

Transparency and Explainability

At Kapture CX, transparency and explainability form the foundation of our AI governance framework. We believe users have the right to understand how AI interacts with their data and influences outcomes. To uphold this, we clearly communicate the purpose, scope, and functioning of every AI capability, including details on how datasets are selected, processed, and validated. Our goal is to eliminate ambiguity by ensuring that all stakeholders trace the reasoning behind AI-driven results. We enable users to receive meaningful insights into how conclusions or recommendations are generated. Through these measures, Kapture CX strengthens user confidence and fosters accountability in every stage of AI deployment

Fairness and Non-Discrimination

At Kapture CX, we are committed to ensuring that all AI systems operate with fairness, equality, and inclusivity at their core. We recognize that AI models can reflect the biases present in data, hence we conduct rigorous bias detection and impact assessments throughout the AI lifecycle from data collection and model training to deployment and performance monitoring. These assessments help us identify and mitigate any potential discrimination, ensuring that our AI driven outcomes treat all users and stakeholders equitably.

Our AI governance framework aligns with global ethical standards, including the EU AI Act, ISO/IEC 42001, and India’s AI Guidelines, to promote responsible and just use of technology. By embedding fairness into design, validation, and continuous monitoring processes, we ensure that AI at Kapture CX not only enhances performance but also upholds respect, diversity, and equality for all individuals it impacts.

Privacy and Data Protection by Design

At Kapture CX, privacy and data protection by design are integral to every stage of AI development and deployment. We adopt a privacy-by-design approach, embedding data protection safeguards into the architecture of our AI systems from the very beginning. Every AI feature is built to uphold user confidentiality, process only the minimum data necessary, and ensure that personal information is used strictly for its intended, lawful purpose.

Our AI operations are fully aligned with leading privacy regulations, including the Digital Personal Data Protection Act (DPDPA), the General Data Protection Regulation (GDPR), and other applicable global frameworks. We implement robust technical and organizational controls such as encryption, access limitation, and data minimization to ensure data integrity and confidentiality. Through this proactive and compliant approach, Kapture CX ensures that innovation in AI never compromises the fundamental right to privacy.

Robustness, Safety, and Security

At Kapture CX, we ensure that every AI system is developed with robustness, safety, and security as foundational principles. Our models undergo rigorous testing to evaluate their accuracy, reliability, and resilience under real-world conditions. We employ adversarial testing and vulnerability assessments to identify potential risks early and strengthen the system’s defenses against manipulation, misuse, or unexpected behavior. This ensures that our AI functions consistently and safely, even under challenging operational environments.

We maintain continuous monitoring, incident response, and fallback mechanisms to preserve data integrity and system availability at all times. Our AI infrastructure is secured through layered protection measures including encryption, access controls, and threat detection aligned with global cybersecurity standards such as ISO/IEC 27001 and ISO/IEC 42001. By prioritizing robustness and proactive risk management, Kapture CX safeguards the reliability and trustworthiness of all AI-driven processes.

Accountability and Governance

At Kapture CX, we uphold accountability and strong governance as central pillars of responsible AI management. Every stage of the AI lifecycle from design and data acquisition to deployment and decommissioning is guided by clear oversight, documentation, and review processes. Our AI Governance Committee ensures that all AI activities are transparent, traceable, and compliant with internal policies and external regulatory expectations, fostering a culture of ethical responsibility and continuous improvement.

We align our AI governance framework with the ISO/IEC 42001:2023 Artificial Intelligence Management System Standard, ensuring that accountability is built into both operational and strategic decision-making. Regular audits, risk assessments, and performance evaluations are conducted to maintain compliance with global standards and emerging regulations. Through structured governance, well-defined roles, and documented accountability, Kapture CX ensures that every AI initiative upholds integrity, trust, and lawful compliance.

Regulatory Compliance and Oversight

At Kapture CX, regulatory compliance and oversight form the backbone of our AI governance ecosystem. We proactively align our AI practices with evolving global, regional, and sectoral regulations, ensuring that every deployment meets the highest standards of legality, transparency, and ethical conduct. Our dedicated compliance team continuously monitors emerging frameworks such as the EU AI Act, India’s AI Guidelines, and the RBI’s FREE-AI Framework, integrating their principles into our operational and design processes.

We maintain detailed documentation, audit trails, and periodic assessments to verify that our AI systems operate within defined legal and ethical boundaries. By embedding compliance into every stage of AI development, we ensure that our innovations remain both responsible and regulator-ready. This ongoing oversight enables Kapture CX to foster trust among customers, regulators, and partners—demonstrating a sustained commitment to safe, transparent, and lawful AI governance.

We believe AI must be a force for trust, innovation, and societal good. By embedding accountability, privacy, and security into every stage of our AI lifecycle from design to deployment we ensure that our customers, regulators, and partners can trust every AI-powered interaction.

AI governance

At Kapture CX, our Artificial Intelligence (AI) governance framework is built on the principles of responsibility, accountability, and continuous oversight.
We recognise that AI systems influence decision making, customer experience, and data integrity and therefore must be governed with the same rigour as any critical information asset.
Our governance model aligns with ISO/IEC 42001:2023 (Artificial Intelligence Management System), the EU AI Act, Reserve Bank of India’s FREE-AI Framework for Responsible and Ethical Enablement of AI and the AI governance guidelines, 2025.

Governance Structure

We maintain a formal AI Governance Committee comprising representatives from Information Security, Legal & Compliance, Engineering, and Data Privacy functions. The committee is responsible for:

• Defining the organisation’s AI strategy, risk appetite, and ethical standards.
• Approving the AI Principles and Policy applicable to all AI based products, features, and vendor integrations.
• Monitoring compliance with ISO 42001 controls, applicable laws, and internal policies such as data management, access control, and security.
• Reviewing AI related incidents, bias findings, or risk assessments, and ensuring timely remediation.

Risk and Impact Assessment

At Kapture CX, we conduct a comprehensive AI Risk and Impact Assessment for every AI initiative before its design, deployment, or procurement. This ensures that all potential risks are identified, evaluated, and mitigated well in advance, maintaining the integrity, safety, and fairness of our AI systems.

Each assessment examines the sensitivity of the data used, the likelihood of bias, and the potential for model drift over time. This allows us to take proactive corrective measures that preserve accuracy and reliability.

Our evaluation process also analyses privacy, ethical, and operational implications to understand the broader effects of AI on individuals, customers, and organisations. Based on these assessments, every AI system is classified according to risk categories, in line with global best practices such as the EU AI Act and ISO/IEC 42001.

This structured approach to risk and impact management enables Kapture CX to maintain responsible, transparent, and well governed AI operations across all business functions.

Lifecycle management

At Kapture CX, we implement a comprehensive lifecycle management approach to govern every AI system with integrity, accountability, and oversight. From inception to retirement, each stage is guided by defined compliance and transparency controls. In the design and development phase, our teams perform bias detection, explainability assessments, and security assurance testing to confirm that AI models are fair, interpretable, and resilient.

During deployment and ongoing monitoring, we track system performance, identify model drift, and maintain continuous human supervision to ensure responsible and reliable outcomes.

When an AI system reaches the review or decommissioning stage, it undergoes structured revalidation, data sanitization, and a comprehensive impact reassessment to verify that it remains ethical, lawful, and aligned with current standards.

This lifecycle framework is embedded within Kapture CX’s Information Security Management System (ISMS) and Privacy Governance Framework, ensuring that AI accountability and compliance are upheld consistently across all domains.

Accountability and Oversight

At Kapture CX, every AI system is assigned a designated System Owner who holds ultimate responsibility for ensuring its lawful, ethical, and compliant use. This role ensures that accountability is clearly defined and that all AI operations align with the organization’s ethical and regulatory commitments.

All employees and contractors involved in the development, deployment, or use of AI must strictly follow Kapture CX’s AI Policy, Code of Conduct, and Data Protection Standards. They are also required to promptly report any anomalies, risks, or unintended outcomes to the AI Governance Committee for review and remediation. To maintain a culture of responsible innovation, every team member participates in ongoing training and awareness programs that reinforce our principles of fairness, transparency, and responsible AI use across the organization.

Regulatory and Ethical Compliance

At Kapture CX, we ensure that all AI operations are fully compliant with a comprehensive set of global, national, sectoral, and internal governance requirements. Our framework aligns with international laws and standards such as the EU AI Act, General Data Protection Regulation (GDPR), ISO/IEC 42001, and ISO/IEC 27001, ensuring that every AI system is developed, deployed, and monitored with the highest levels of security and ethical accountability. We also adhere to Indian regulatory and sectoral guidelines, including the RBI FREE-AI Framework, CERT-In advisories, the Digital Personal Data Protection Act (DPDPA) 2023, SEBI’s AI and cybersecurity directives, and IRDAI’s guidelines on Information and Cybersecurity, ensuring compliance across financial services, insurance, and regulated industries.

Our AI governance is further strengthened by internal policies covering data localisation, encryption standards, vendor due diligence, access control, and continuous security monitoring. To support regulatory scrutiny and audit readiness, we maintain comprehensive documentation, evidence logs, and compliance records for internal audits, customer assurance, and statutory reporting. Through this unified and verifiable compliance posture, Kapture CX ensures responsible, transparent, and regulator-aligned AI operations across all domains.

Continuous Improvement

At Kapture CX, we recognise that AI governance must continually evolve to stay aligned with advancing technology and regulatory expectations. We foster a culture of continuous improvement by conducting regular internal audits, engaging in independent third-party assessments, and updating our policies and controls to reflect new risks, lessons learned, and operational insights. This ensures that our AI systems remain robust, compliant, and aligned with our ethical commitments over time.

We actively monitor emerging AI regulations, global standards, and ethical frameworks to stay ahead of industry developments and regulatory shifts. By consistently adopting industry best practices, we strengthen the trustworthiness, transparency, and resilience of our AI operations. This ongoing enhancement cycle enables Kapture CX to maintain responsible, future-ready AI governance that adapts to new challenges while upholding the highest standards of accountability and user trust.

Kapture CX ensures that every AI capability is explainable, secure, privacy respectful, and compliant.

Through structured governance, risk-based oversight, and ethical accountability, we uphold our commitment to responsible AI that earns user trust and meets global compliance standards.

RBI framework on AI

Kapture CX is committed to the responsible, transparent, and ethical enablement of Artificial Intelligence (AI) in financial and business processes, in alignment with the Reserve Bank of India’s Framework for Responsible, Explainable and Ethical AI .

Alignment with RBI’s Seven Sutras

We integrate the RBI Committee’s Seven Sutras across our AI lifecycle. It includes:

• Trust & Transparency: Our AI systems are auditable, explainable, and traceable through robust governance and disclosure frameworks.
• Human Control: AI features at Kapture CX augment human judgment and operate under defined oversight controls.
• Fairness & Equity: We employ bias testing, fairness audits, and algorithmic validation to prevent discrimination across user cohorts.
• Accountability: We have defined ownership across model design, deployment, and review ensures traceable responsibility.
• Safety & Resilience: AI models undergo continuous monitoring, stress-testing, and red teaming in line with RBI’s emphasis on model-risk and resilience.

Governance Structure and Board Oversight

At Kapture CX, AI governance is overseen at the highest levels, anchored by a Board-approved AI Governance Policy. This approach aligns with the RBI’s FREE-AI Framework, which recommends that regulated entities adopt a structured, Board-level governance mechanism for responsible AI use. Our Board provides strategic direction, reviews key risks, and ensures that AI practices remain aligned with ethical, legal, and operational expectations.

Our AI Governance Policy defines the organisation’s end to end governance model, including a clear escalation matrix, roles and responsibilities, and decision making pathways. It establishes mandatory operational safeguards, data ethics principles, and robust auditability and documentation practices to ensure accountability and traceability. The policy also incorporates consumer protection commitments, including grievance handling processes for AI related issues, and mandates an annual review of model lifecycle risks to ensure continuous oversight.

Even though some of these requirements primarily apply to regulated financial sectors, Kapture CX adopts them as voluntary baseline standards across all operations. This proactive approach reflects our commitment to India’s emerging AI governance expectations and reinforces our dedication to safe, transparent, and trustworthy AI.

Voluntary Compliance and Self-Regulation

Kapture CX aligns with the RBI’s pro innovation and low compliance burden philosophy by voluntarily adopting the FREE-AI Framework’s self-regulatory principles, even beyond the financial sector. This reflects our commitment to building trustworthy AI while supporting an ecosystem that is transparent, safe, and innovation-ready.

We carry out regular internal self-assessments to evaluate our AI models for fairness, privacy protection, and security robustness. Any AI related anomaly, incident, or unexpected outcome is logged and reviewed enabling continuous learning and improvement.

In keeping with RBI’s collaborative vision, we participate in cross industry forums, working groups, and knowledge sharing initiatives to exchange insights and best practices on responsible AI. We also endorse RBI’s encouragement for industry-led recognition programs that highlight and reward ethical and responsible AI design. Through these voluntary measures, Kapture CX showcases its proactive approach to advancing a safe, transparent, and responsible AI ecosystem.

Risk Based and Techno Legal Controls

Kapture CX’s AI lifecycle management framework applies risk proportionate controls, aligning with the RBI’s principle of graded liability and supervisory oversight. This ensures that higher risk AI systems receive enhanced scrutiny, stronger controls, and more frequent monitoring, while lower risk systems follow streamlined and proportionate governance measures.

We incorporate security by design across all AI development stages, embedding safeguards such as encryption, role-based access control, and adversarial-attack testing to ensure resilience and integrity. In parallel, we integrate privacy preserving technologies to remain fully compliant with the Digital Personal Data Protection Act (DPDPA) 2023 and the RBI Cyber Security Framework for Banks (2016). Through these combined measures, Kapture CX maintains a robust, proportionate, and regulation-aligned AI security and privacy posture.

Capacity Building and Continous Learning

Aligned with the FREE-AI framework’s “Capacity Pillar,” Kapture CX prioritises ongoing capability building to strengthen responsible AI adoption across the organisation. We provide continuous AI-ethics and governance training for our engineers, product teams, and compliance professionals, ensuring they remain fully aware of model limitations, regulatory expectations, and emerging risk patterns.

These training initiatives reinforce a deep understanding of consumer-protection principles, fairness considerations, and sectoral compliance requirements, enabling our teams to design, deploy, and monitor AI systems responsibly. By investing in sustained education and awareness, Kapture CX builds a workforce that is equipped to uphold safe, transparent, and accountable AI practices at scale.

Kapture CX’s governance architecture operationalises RBI’s vision of responsible AI enablement.

Through proactive adoption of board approved policies, algorithmic transparency, self-assessment, and bias-control frameworks, we ensure that our AI ecosystem remains trustworthy, auditable, and resilient, enabling financial and enterprise clients to deploy AI with complete confidence in compliance with India’s Responsible and Ethical AI principles.

AI governance guidelines, 2025

At Kapture CX, we are committed to building and deploying Artificial Intelligence responsibly anchored in the guiding principles of India’s AI Governance Guidelines 2025 issued under the India AI Mission by MeitY.

Our approach to AI is rooted in transparency, accountability, and human-centric innovation, ensuring every AI-driven capability within our platform upholds the nation’s vision of “Safe and Trusted AI for All.”

Alignment with National AI Governance Principles

We adhere to the seven sutras of the national AI governance framework including Trust as Foundation, People First, Fairness & Equity, Accountability, Understandable by Design, Safety & Resilience, and Innovation over Restraint.

Governance Structure and Risk Mitigation

Kapture CX implements an AI Governance Framework consistent with the six pillars of the India AI Guidelines Infrastructure, Capacity Building, Policy & Regulation, Risk Mitigation, Accountability, and Institutional Oversight.

• Infrastructure & Data Integrity: Our data pipelines and compute environments are secured through robust encryption, controlled access, and audit trails ensuring lawful processing in accordance with the Digital Personal Data Protection Act 2023.
• Capacity Building: We conduct ongoing AI-ethics and security training for our data-science, legal, and engineering teams to strengthen awareness and accountability.
• Risk Mitigation: We employ algorithmic audits, bias detection tools, and privacy preserving technologies to prevent harm and ensure compliance by design. In addition, the AI incidents are monitored.
• Policy Alignment: Our AI policies integrate cross-references to the IT Act, DPDPA, and sectoral frameworks such as RBI, SEBI, and IRDAI AI guidelines, ensuring multi-layered compliance.
• Accountability: Every AI system has a clearly defined System Owner responsible for lawful, ethical, and secure operation. Roles and decision making responsibilities are documented, ensuring traceability, human oversight, and clear accountability across technical and business teams. AI related decisions can always be attributed to a responsible authority within the organisation.
• Institutional Oversight: Kapture CX maintains structured oversight through an AI Governance Committee, responsible for policy implementation, lifecycle supervision, incident review, and audit coordination. This committee reports to senior leadership and ensures alignment with India AI Guidelines, enabling periodic reviews, escalations, and transparent governance across the enterprise.

Techno- Legal and Voluntary Compliance

We adopt a techno-legal approach, embedding legal and ethical safeguards directly into system architecture such as content provenance tagging, consent management modules, and explainability dashboards. In support of voluntary governance measures recommended by MeitY, we publish transparency summaries and provide grievance redressal channels

Kapture CX stands firmly behind India’s vision to make AI a force for inclusion, trust, and progress. By aligning our governance practices with the India AI Governance Guidelines 2025, we ensure that every AI innovation we create is safe, auditable, equitable, and human centric empowering organizations to adopt AI with confidence and accountability.

Security by design

Kapture CX adopts a comprehensive Security by Design framework to ensure that information security and data protection are foundational elements of every product, process, and operation. This principle ensures that privacy and security are embedded from the beginning.

Given below are the key principles ensuring security by design:

Integrated into Every Phase

At Kapture, security and privacy requirements are incorporated during concept, design, development, testing, and deployment phases of every product and process.

Compliance Alignment

The organisation’s framework aligns with ISO 27001 : 2022, Article 25 of GDPR emphasising on Data Protection by Design and by Default, and the Digital Personal Data Protection Act (DPDPA) 2023.

Risk-Based Planning

In case of any new project at our organisation, a Security Risk Assessment (SRA) and Privacy Impact Assessment (PIA) is undertaken to identify potential threats and regulatory obligations. Controls are defined based on severity and likelihood of identified risks.

Secure Development Lifecycle (SDLC)

At our organisation the Security checkpoints are embedded throughout the SDLC. Threat modelling, secure-coding guidelines, and peer reviews ensure vulnerabilities are mitigated before deployment. Automated SAST/DAST scans and dependency checks validate code security.

Data Minimization & Purpose Limitation

In our organisation, data collection and retention are restricted strictly to what is necessary for legitimate business or contractual purposes in accordance with Article 5 of GDPR and section 6 and 7 of DPDPA. Default configurations promote privacy by default, limiting exposure of personal or customer data.

Governance & Accountability

We have a dedicated Information Security and Privacy team oversee compliance with internal and external standards. Risk owners are assigned to business functions to ensure ownership and accountability for controls. Governance reviews are conducted periodically by the Information Security Steering Committee.

Change & Configuration Control

All process changes follow documented change management procedures, including risk evaluation, impact analysis, and multilevel approval. Each change maintains complete traceability for audit readiness. This is done in accordance to ISO 27001 requirement.

Continuous Training & Awareness

At Kapture, employees, developers, and contractors receive ongoing training on secure coding, phishing prevention, and data-protection obligations under ISO 27001, DPDPA and GDPR.

Continuous Monitoring & Validation

At our organisation, we conduct regular internal audits, vulnerability assessments, and third-party penetration tests to validate the effectiveness of Security-by-Design controls. Findings are documented, prioritized, and remediated under the organization’s Information Security Management System (ISMS) Policy.

Independent Verification & Certification

Kapture’ s Information Security Management System (ISMS) undergoes periodic internal and external audits to maintain ISO 27001 compliance and demonstrate ongoing conformance with best-practice standards.

Lifecycle Accountability:

Security-by-Design at Kapture applies to the full data lifecycle from collection and storage to processing, sharing, and deletion. Every stage includes defined controls for confidentiality, integrity, and availability.

By embedding security and privacy into the design of our products and processes, Kapture CX ensures that data is processed lawfully, fairly, and securely throughout its lifecycle. This proactive and risk based approach demonstrates our ongoing commitment to safeguarding customer trust and maintaining compliance with global data-protection and cybersecurity standards.

Product Security

Kapture CX integrates Product Security principles throughout the design, development, and operational lifecycle of its SaaS platforms. Security and privacy form the foundation of all engineering practices, ensuring that products are resilient against cyber threats, compliant with global regulations, and trustworthy for customers. This framework aligns with ISO 27001:2022 controls, NIST 800-53, and the data-protection requirements of GDPR and DPDPA 2023.

Given below are the key principles ensuring Product Security.

Secure Architecture and Design

Kapture CX products are built on a defense-in-depth architecture, incorporating multi-layered safeguards across network, application, and data tiers. Security requirements are established during the architecture and design phase and validated through threat modelling, code reviews, and risk assessments. Data segregation ensures that each customer environment operates in logical isolation, minimizing cross tenant risks. Infrastructure configurations follow CIS Benchmarks and are regularly reviewed to maintain a hardened security posture. Every new feature undergoes architecture review to confirm alignment with both business objectives and compliance obligations.

Secure Development and Testing

The Secure Software Development Lifecycle (SSDLC) governs how Kapture CX builds and deploys secure applications. Developers follow approved secure coding practices and leverage automated tools such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to identify vulnerabilities. Peer reviews and continuous integration pipelines enforce compliance with the company’s coding standards and release policies. All code dependencies and open-source components are tracked in a Software Bill of Materials (SBOM), ensuring continuous monitoring for known vulnerabilities. Pre-release testing includes vulnerability scanning, regression testing, and quality assurance sign-offs before deployment to production.

Data Protection and Encryption

Kapture CX employs strong encryption controls to protect sensitive data across all environments. Data at rest is encrypted using AES-256 algorithms, and data in transit is protected through TLS 1.2 communication channels. Encryption keys are stored and managed in secure key vaults under strict access control and rotation policies. Sensitive identifiers and credentials are further protected through hashing, tokenization, and anonymization techniques. The company’s encryption strategy ensures compliance with Article 32 of GDPR, reinforcing the confidentiality and integrity of all processed data.

Access Control and Authentication

Access to product environments and customer data is restricted using Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA). All administrative and privileged activities are logged and monitored for anomalies through centralized logging and Security Information and Event Management (SIEM) tools. Access rights are reviewed periodically to ensure least-privilege enforcement and compliance with internal security policies.

Continuous Monitoring and Vulnerability Management

Kapture CX maintains 24×7 monitoring and detection capabilities across its product infrastructure. Automated alerts flag unusual activity, and any deviation from baseline behavior triggers investigation by the Security Operations Team. Products are subjected to routine penetration tests, vulnerability assessments, and third-party security audits by CERT-In empanelled partners. Findings are documented, prioritized by severity, and tracked until closure under the company’s Vulnerability Management Program. These measures ensure continuous improvement and resilience against emerging cyber threats.

Compliance and Assurance

Kapture CX’s Product Security controls are periodically reviewed under its Information Security Management System (ISMS) and assessed during external ISO 27001 and SOC 2 audits. Customers receive detailed documentation, including Data Processing Agreements (DPAs), Security Whitepapers, and Product Security Guides, outlining implemented safeguards. This transparency reinforces customer trust and helps clients meet their own compliance obligations.

Through its comprehensive Product Security framework, Kapture CX ensures that every feature and integration is designed to withstand evolving threats. By embedding security controls into architecture, code, and infrastructure, Kapture CX delivers products that are not only functional and scalable but also compliant, resilient, and aligned with international data-protection and cybersecurity standards.

HR Security

At Kapture CX, people are central to our information-security ecosystem. Our Human Resource Security framework ensures that all employees, contractors, and third-party personnel understand and uphold their responsibilities toward data protection, confidentiality, and regulatory compliance throughout their association with the company.

Given below are the key principles ensuring HR Security

Pre-Employment Screening and Verification

At Kapture, all prospective employees and contractors undergo background verification that includes identity, education, employment, and criminal-record checks in accordance with local labor and privacy laws. Verification results are reviewed and approved prior to granting employment or system access. Screening practices comply with ISO 27001

Employment Contracts and Confidentiality Agreements

At Kapture CX, every employee signs a Confidentiality and Non-Disclosure Agreement (NDA) as a condition of employment. Offer letter explicitly outline responsibilities related to data protection, intellectual-property rights, and acceptable use of assets. Terms reference compliance with Article 28 and 32 of GDPR on safeguarding personal data.

Induction and Security Awareness

In our organisation, newly hired personnel complete a structured security and privacy induction program before accessing any production or customer data. Continuous awareness sessions are conducted on phishing prevention, secure data handling, password hygiene, and incident reporting. Training completion is tracked within the company’s Learning Management System (LMS) for audit readiness.

Roles and Responsibilities

At our organisation the Job descriptions incorporate security and privacy accountabilities relevant to the position. Managers are responsible for ensuring that their teams adhere to the principle of least privilege and approved access levels. Key security roles such as the Information Security Officer and Privacy Officer oversee employee compliance and policy enforcement.

Disciplinary and Corrective Measures

Breaches of information security or privacy policies are addressed under formal disciplinary procedures, which may include suspension of access or termination of employment. All disciplinary actions are documented and reviewed by HR in coordination with the Information Security team.

Termination and Off-Boarding

On termination or role change, all system access is promptly revoked through automated off-boarding workflows. Company assets, credentials, and ID cards are collected and verified. Departing personnel are reminded of ongoing confidentiality obligations even after employment ends.

Monitoring and Continuous Improvement

HR Security processes are subject to periodic internal and external audits as part of the Information Security Management System (ISMS). Audit results inform training updates, policy revisions, and process enhancements. Regular reviews ensure alignment with ISO 27001 and SOC 2

By integrating human, procedural, and legal safeguards, Kapture CX’s HR Security Framework fosters a trusted workforce and minimizes insider risk. Through background checks, contractual obligations, awareness programs, and rigorous access governance, the company ensures that every individual acts responsibly in preserving confidentiality, integrity, and compliance across all operations

Vulnerability Management

Kapture CX maintains a robust Vulnerability Management Policy designed to identify, assess, remediate, and monitor weaknesses across applications, networks, and infrastructure. The objective is to reduce the organization’s attack surface and maintain the confidentiality, integrity, and availability of customer and company data. This framework aligns with ISO 27001 : 2022 , NIST SP 800-40, CIS Benchmarks, and SOC 2 while also meeting data-protection expectations under GDPR Article 32 and the DPDPA 2023.

Asset Identification and Scope

Vulnerability management begins with maintaining an accurate and current asset inventory. All servers, endpoints, applications, databases, and network devices are catalogued within the organization’s Asset Management Register. Each asset is assigned an owner, classification level, and risk rating to determine the frequency of vulnerability scans. Coverage includes cloud resources, APIs, and software components, ensuring that no critical asset is left unmonitored.

Scanning and Assessment Process

Automated vulnerability scans are conducted at regular intervals using industry-recognized tools to identify outdated software components, insecure configurations, missing patches, and known Common Vulnerabilities and Exposures (CVEs). The Information Security Team validates scan findings and correlates them with external threat-intelligence feeds to assess exploitability and prioritize remediation. Critical vulnerabilities identified in production environments are escalated as security incidents and undergo immediate risk assessment in accordance with the organization’s Vulnerability Risk Matrix and Incident Management Policy.

Remediation and Patch Management

Kapture CX follows a structured vulnerability remediation lifecycle governed by the organization’s security and change management processes. Remediation may include applying patches, updating configurations, or implementing compensating controls when immediate fixes are not feasible. All updates are validated in controlled environments prior to deployment, and changes are approved through the formal Change Management Process to ensure system stability and security. Evidence of remediation, including validation logs and closure documentation, is maintained to demonstrate compliance and audit readiness.

Validation and Reporting

Post-remediation validation is carried out through re-scanning and verification to ensure all identified vulnerabilities have been effectively resolved and no residual risks remain. Periodic vulnerability management reports are presented to the Information Security Steering Committee, summarizing risk trends, remediation progress, and areas requiring long-term mitigation. Any recurring vulnerabilities or systemic issues are escalated to relevant stakeholders for root-cause analysis and implementation of preventive measures to strengthen the organization’s overall security posture.

Penetration Testing

In addition to routine scans, Kapture CX engages CERT-In empanelled penetration-testing partners to perform annual and ad-hoc assessments. These external tests replicate real world attack vectors to validate the effectiveness of implemented controls. Findings from third-party assessments are incorporated into the internal remediation tracker and mapped against ISO 27001 controls for governance visibility.

Threat Intelligence and Continuous Monitoring

The organisation leverages global threat-intelligence feeds, vendor advisories, and vulnerability databases to stay updated on emerging exploits. Security Information and Event Management (SIEM) systems provide real-time visibility into anomalous activity, while continuous monitoring helps identify newly introduced vulnerabilities. Lessons learned from incidents feed directly into vulnerability-management policies to enhance preventive resilience.

Governance and Continuous Improvement

The Vulnerability Management Program is governed through quarterly reviews under the Information Security Management System (ISMS). Audit outcomes, incident analyses, and regulatory updates drive refinement of scanning frequency, remediation timelines, and control maturity. Documentation is retained as evidence of ongoing diligence to satisfy client, auditor, and regulator expectations.

Through its comprehensive Vulnerability Management Program, Kapture CX ensures proactive detection and timely remediation of weaknesses across all technology layers. By combining automated assessments, disciplined patch management, independent validation, and executive oversight, the company sustains a resilient security posture and continuous compliance with global cybersecurity and privacy standards.

Cloud Security

Kapture CX operates within a cloud-first architecture that prioritizes security, privacy, and reliability at every layer of deployment. The company leverages globally recognized cloud service providers that maintain certifications such as ISO 27017 (Cloud Security Controls), ISO 27018 (Cloud Privacy), SOC 2, and CSA STAR. Cloud Security at Kapture CX is built on a shared responsibility model while cloud providers secure the underlying infrastructure, Kapture CX implements comprehensive controls to protect data, configurations, and workloads hosted within its environment.

Cloud Infrastructure and Configuration Management

Kapture CX’s infrastructure is designed using secure by default principles. Cloud resources, including compute, storage, and network layers, are hardened based on CIS Benchmarks and regularly reviewed to prevent configuration drift. Multi-region availability zones are utilized to achieve redundancy, resilience, and high availability. Continuous configuration monitoring detects unauthorized or insecure changes, ensuring compliance with internal and regulatory requirements.

Data Protection and Encryption

The protection of customer data within the cloud remains a top priority. All data at rest is encrypted using AES-256 standards, and data in transit is protected using TLS 1.2+ protocols. Encryption keys are generated, rotated, and destroyed in accordance with the company’s Cryptographic Key Management Policy, which is aligned with ISO 27001. Access to key-management systems is restricted to authorized personnel under multi-factor authentication (MFA) and role-based access controls (RBAC). Backup data and disaster-recovery replicas are encrypted and stored in separate, secure locations, ensuring continuity and integrity even in adverse conditions.

Identity and Access Management

Access to cloud environments is managed through centralized Identity and Access Management (IAM) systems enforcing least-privilege principles. Users are assigned roles based on functional responsibilities, with all administrative access requiring MFA and session recording. Access reviews are conducted quarterly to verify legitimacy and revoke unused or outdated permissions. Privileged actions, such as configuration changes or deployment triggers, are logged and monitored through Security Information and Event Management (SIEM) tools.

Third Party Compliance

Kapture CX’s Third-Party Risk Management (TPRM) framework extends to all cloud vendors, service providers, and integrations. Each third-party engagement undergoes security due diligence, contractual risk review, and data-protection validation. These third party vendors shall adhere to relevant international and Indian regulations, including CERT-In Directions 2022, ISO 27017, and RBI Outsourcing Guidelines (2023). Periodic internal and external audits confirm the cloud environment’s compliance with ISO 27001, SOC 2, and DPDPA 2023. Audit findings and regulatory updates feed into a continuous-improvement cycle overseen by the Information Security team

Monitoring, Logging and Threat Detection

Kapture CX employs advanced monitoring mechanisms to ensure real-time visibility into its cloud ecosystem. Continuous logging captures system events, authentication attempts, and API activity. These logs are ingested into a SIEM platform for correlation and anomaly detection. Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) are used to identify vulnerabilities, misconfigurations, and compliance deviations across workloads. Alerts generated by these systems are investigated promptly by the Security Operations Center (SOC), ensuring swift containment and remediation of potential threats.

Kapture CX’s Cloud Security framework ensures that every element of its cloud ecosystem from infrastructure and identity management to encryption and monitoring is built on principles of resilience, compliance, and transparency.

Logical Access Management

Kapture CX enforces a comprehensive Logical Access Management (LAM) framework to ensure that access to information systems, networks, and data assets is restricted strictly to authorized users and aligned with the principle of least privilege. This framework safeguards against unauthorized disclosure, alteration, or destruction of data by implementing layered technical and procedural controls. Logical Access Management is an essential pillar of the company’s Information Security Management System (ISMS) and applies to employees, contractors, and third-party service providers across all environments.

Access Provisioning and Authorization

Access to Kapture CX systems follows a formal access request and approval workflow governed by documented policies and role definitions. Each access request must be authorized by the respective reporting manager and verified by the Information Security Team prior to provisioning. Role-based access control (RBAC) ensures that users are granted privileges commensurate with their functional responsibilities. Access to production and sensitive data environments is restricted to a limited number of personnel, subject to Multi-Factor Authentication (MFA) and Privileged Access Management (PAM) oversight. Temporary or emergency access is granted only after managerial justification and is automatically revoked upon completion of the approved task.

Authentication and Account Security

Kapture CX enforces strong authentication standards to validate user identity and protect against credential-based attacks. Password policies require minimum complexity, rotation, and history enforcement. MFA is mandatory for all administrative and remote access accounts, while single sign-on (SSO) solutions enhance user convenience without compromising security. User accounts are automatically locked after repeated failed login attempts, and session time-outs prevent unauthorized continuation of inactive sessions. All credentials, keys, and tokens are stored securely in encrypted repositories and rotated according to the Cryptographic Key Management Policy.

Access Reviews and Recertification

To maintain least privilege enforcement, periodic access reviews are conducted on a quarterly basis. Department heads and data owners review all active users, their roles, and associated permissions to ensure continued validity. Any discrepancies such as excessive privileges or role changes are corrected immediately. Access to shared accounts or service credentials is prohibited unless explicitly approved and technically controlled. Records of reviews, approvals, and revocations are retained for compliance evidence under ISO 27001 control.

Monitoring, Logging and Anomaly Detection

All authentication events, privilege escalations, and configuration changes are logged and monitored centrally through Security Information and Event Management (SIEM) systems. These logs enable real time detection of unusual access patterns, such as failed login attempts, access from atypical geolocations, or abnormal data-exfiltration activity. Alerts generated by the SIEM are triaged by the Security Operations Center (SOC) team for investigation and, where necessary, incident escalation. Audit logs are tamper resistant, time synchronized, and retained according to the company’s Data Retention Policy to support forensic analysis and regulatory reporting.

User De-provisioning and Off- boarding

Upon employee separation, contract termination, or role change, Kapture CX enforces a strict access revocation process. HR and IT teams coordinate to disable accounts, retrieve devices, and revoke access tokens within predefined timelines. This ensures that no residual credentials remain active beyond the user’s employment period. The off-boarding checklist is tracked electronically and verified by the Information Security Team to maintain completeness and accountability.

Governance and Continuous Improvement

The Logical Access Management framework is reviewed annually as part of ISMS governance and whenever significant changes occur in infrastructure or technology. Internal audits, external ISO 27001 surveillance assessments, and client evaluations validate compliance effectiveness. Lessons learned from incidents and audits are used to enhance access-control mechanisms, automation, and awareness programs.

Through disciplined Logical Access Management, Kapture CX ensures that data and systems remain accessible only to authorized users who require such access for legitimate business purposes. By combining robust authentication, continuous monitoring, and strict governance, the company upholds the confidentiality, integrity, and accountability of its information assets reinforcing client confidence and compliance with global security and privacy standards.

Data Privacy

Definition

• Data principal/ Data fiduciary- shall mean an individual, entity or organization that determines means and purpose for the processing of personal data.
• Data processor- shall mean a person who processes the personal data on behalf of the Data Controller.
• Data Subject- shall mean the individual to whom the personal data relates and where such individual is
1. a child, includes the parents or lawful guardian of such a child
2. a person with disability, includes her lawful guardian, acting on her behalf

Provided that the data shall be collected directly from the data subject or through the data controller.

• Personal Identifiable Information/ Sensitive Personal Information- shall mean such personal information which consists of information relating to
  1. password
  2. financial information such as Bank account or credit card or debit card or other payment instrument details
  3. physical, physiological and mental health condition
  4. sexual orientation
  5. medical records and history
  6. Biometric information
  7. any detail relating to the above provision for providing service; and
  8. any of the information received under above provision for processing, stored or processed under lawful contract or otherwise.

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information

Data privacy principles

• Notice: Kapture CX supports its customers who are the Data Controllers/Data Fiduciaries in providing clear and transparent notices to individuals at the time of data collection. These notices outline the purpose, type, and use of the data collected in accordance with applicable privacy laws.
• Consent: Kapture CX processes personal data only upon documented instructions from the Data Controller/Data Fiduciary, who is responsible for obtaining valid and informed consent from individuals.
• Minimization: Kapture CX ensures that only the minimum necessary data required for the intended business purpose is processed, avoiding unnecessary collection or retention.
• Use Limitation: All data processed by Kapture CX is used strictly for the purpose defined by the Data Controller/Data Fiduciary. Data is not used, shared, or disclosed for any unrelated purpose without prior authorization.
• Openness: Kapture CX maintains transparency in its privacy and security practices by publishing relevant policies and controls that outline how personal data is handled, protected, and managed throughout its lifecycle.
• Data Quality: We implement controls to ensure that personal data processed on behalf of our customers remains accurate, complete, and up to date, supporting the integrity of the information entrusted to us.
• Accountability: As a Data Processor, Kapture CX upholds strong accountability standards by implementing appropriate technical and organizational measures to assist Data Controllers/Data Fiduciaries in complying with their privacy obligations and ensuring data protection.

Statutory and Regulatory requriements of Various Jurisdiction

India

In accordance with India’s Digital Personal Data Protection Act, 2023 and Information Technology Act 2000, Kapture processes personal data in a lawful, fair, and transparent manner, solely for purposes explicitly defined by the Data Controller.

As a Data Processor, Kapture acts only on the instructions of the Data Controller and does not process personal data for its own purposes. We ensure that the personal data collected is limited to what is necessary and proportionate to the specified purpose and is not retained beyond the period required for fulfilling that purpose.

Kapture implements appropriate technical and organizational measures to protect personal data against unauthorized access, misuse, alteration, or disclosure. These include access controls, encryption, secure infrastructure, and staff awareness programs. In case of a personal data breach, Kapture promptly notifies the Data controller so that they may fulfill their legal obligations to inform the Data Protection Board and affected individuals, where necessary.

We also ensure that all sub-processors engaged by Kapture are contractually bound by equivalent data protection obligations. When processing involves cross-border data transfers, Kapture follows the instructions of the Data Controller and ensures transfers are made only to countries or entities permitted under applicable rules.

Kapture supports the Data Controller in enabling the exercise of data principal rights, such as access, correction, erasure, and grievance redressal, and maintains internal records to demonstrate compliance with the provisions of the DPDP Act.

Eurpoean Union

In accordance with the General Data Protection Regulation (GDPR), Kapture processes personal data in a lawful, fair, and transparent manner, strictly for specific, explicit, and legitimate purposes as defined by the Data Controller. We collect and process only the minimum amount of personal data necessary to achieve the intended purpose, and ensure that data is not further processed in any way that is incompatible with those original purposes. As a Data Processor, Kapture acts solely on the documented instructions of the Controller and does not make any independent decisions regarding the lawful basis or means of processing.

Kapture has in place appropriate technical and organizational measures to ensure a high level of data security, including protection against unauthorized access, accidental loss, or unlawful destruction. These include access controls, encryption, regular risk assessments, and staff training. Personal data is retained only as long as necessary for the purposes for which it was collected or as instructed by the Controller, after which it is securely deleted or anonymized. Any cross-border transfers of data outside the EU are conducted only in accordance with approved mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding corporate rules, ensuring a level of protection equivalent to that within the EU.

Kapture supports Controllers in fulfilling their obligations under the GDPR, including enabling data subject rights such as access, rectification, erasure, restriction, objection, and portability. In the event of a data breach, Kapture promptly informs the Controller, allowing timely notification to supervisory authorities and data subjects where required. To demonstrate ongoing compliance, we maintain detailed records of all processing activities carried out on behalf of Controllers and make these available to regulators upon request. Where sub-processors are engaged, Kapture ensures they are bound by equivalent data protection obligations through legally binding agreements. Through these measures, Kapture upholds the principles of accountability, data minimization, integrity, and confidentiality in full alignment with the GDPR.

Singapore

In compliance with Personal Data Protection Act, 2012, Kapture is committed to developing and implementing internal policies and practices necessary to fulfill its legal obligations under the Act. These include establishing clear procedures for the collection, use, retention, and disposal of personal data, as well as mechanisms to ensure accountability and transparency across the organization. Kapture has also implemented a structured process to receive and respond to complaints or inquiries related to the application of the Act, ensuring prompt and fair resolution.

To maintain a privacy aware culture, Kapture regularly communicates its data protection policies and procedures to all staff through training and internal communications. Additionally, the organization ceases to retain documents containing personal data, or anonymizes such data, once it is reasonable to conclude that the original purpose for collection has been fulfilled and continued retention is no longer necessary for legal or legitimate business needs.

Indonesia

Kapture, as a Personal Data Processor, complies fully with Indonesia’s Personal Data Protection Law. We process personal data solely on behalf of and under the instructions of the Data Controller, ensuring that data is handled only for legitimate, specific, and clearly defined purposes. Under no circumstances is the data used for purposes beyond those agreed upon. Our relationships with Data Controllers are governed by binding contracts that outline the scope, nature, purpose, and duration of the processing activities, as well as the categories of personal data involved.

Kapture implements robust technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These measures include secure system design, encryption, access control, and incident response protocols. We maintain clear records of processing activities and cooperate with Data Controllers to ensure accountability and transparency. In the event of a data breach, we promptly notify the Controller to support timely notification to the authorities and affected individuals.

Where personal data is transferred or stored outside Indonesia, Kapture ensures that the recipient country or organization upholds an adequate level of data protection or that appropriate safeguards are in place. We retain personal data only for as long as necessary to fulfill the agreed upon purpose or as instructed by the Controller, after which it is securely deleted or anonymized. Kapture does not disclose personal data or processing results to third parties unless legally authorized or contractually required. To support ongoing compliance, our staff are regularly trained on data protection responsibilities, and we continually assess our practices to align with the requirements of Indonesian data privacy law.

California

In accordance with the California Consumer Privacy Act (CCPA), Kapture ensures that all data processing activities are governed by binding contracts between the subscriber and Kapture. These contracts clearly define the specific purposes for which personal data is processed and strictly prohibit its use for any unrelated purposes, such as advertising, profiling, or resale.

Kapture does not sell, share, or combine personal data with information from other sources unless expressly permitted by law or contract. We actively support consumer rights by assisting businesses in responding to data subject requests, including access, correction, and deletion. Robust security measures are implemented to prevent unauthorized access, alteration, or disclosure of personal data.

In addition, while engaging sub-processors, Kapture ensures they are contractually bound to the same privacy and security standards, and we allow businesses to monitor, audit, and verify compliance with CCPA obligations as required.

UAE

In accordance with the UAE Federal Decree-Law No. 45 of 20221 on the Protection of Personal Data, Kapture processes personal data in a fair, transparent, and lawful manner, strictly for specific, clear, and legitimate purposes. Data collected is limited to what is necessary and proportionate to the purpose of processing. Personal data is stored securely and protected against unauthorized access, alteration, loss, or unlawful processing, through the implementation of appropriate technical and organizational safeguards in line with applicable laws and international best practices.

Kapture does not retain personal data beyond the period necessary for its intended purpose. Data is securely erased upon expiry of the processing period unless anonymization is applied, ensuring the identity of the data subject can no longer be determined. As a processor, Kapture acts strictly in accordance with the documented instructions of the controller and ensures that the scope, subject, type, and category of personal data processed are clearly defined in contractual agreements.

To ensure continuous compliance, Kapture maintains a detailed processing record, implements privacy-by-design measures, and ensures that any extension of processing is approved by the controller. Data processing is carried out using secure systems and devices, including encryption, pseudonymization, and measures for ensuring ongoing confidentiality, integrity, availability, and resilience. Regular testing and evaluation of security controls are conducted to ensure effectiveness, and Kapture remains accountable by making such records and evidence of compliance available to the relevant authority upon request. Where multiple processors are involved, clear contractual allocation of roles and responsibilities is ensured, or else processors are held jointly liable under the law.

Data Handling Mechanism

Kapture collects Personal Data through various digital and operational channels to enable service delivery, customer support, analytics, and compliance. This includes data gathered from website visitors and app users via form submissions, cookies, and web interaction logs, as well as from registered users and customers for account creation, authentication, billing, and platform usage analytics.

As a data processor, Kapture also handles Customer End User Data strictly in accordance with customer instructions, without independently controlling or verifying such data. Information is further collected for marketing and lead generation through opt in campaigns, events, and trusted third party partners, ensuring that all communications are consent based and transparent.

Additionally, data is collected from partners, vendors, and suppliers for contractual and compliance purposes, and from office visitors through access logs and CCTV monitoring to maintain physical security. Kapture may also receive publicly available or third party sourced data to enhance its business understanding and engagement efforts. All data collection activities adhere to applicable data protection and privacy standards to ensure lawful, fair, and secure processing.

User and Customer Rights

Kapture CX ensures that all users and customers are empowered to exercise their rights in accordance with applicable data protection laws and contractual obligations. These rights are fundamental to our commitment to transparency, accountability, and lawful processing.

Access, Correction and Deletion Requests

As a Data Processor, Kapture CX assists its customers (Data Controllers) in fulfilling requests from data subjects while maintaining compliance, transparency, and accountability throughout the process. Individuals request access to the personal information processed about them, seek rectification of inaccurate or incomplete data, and request deletion when the data is no longer necessary for its intended purpose. All verified requests are fulfilled within the timelines prescribed under relevant data protection regulations and contractual frameworks.

Consent Management

Kapture CX acts strictly as a Data Processor and processes personal data only on the documented and lawful instructions of its customers, who function as Data Controllers. The responsibility for obtaining, recording, and managing consent from data subjects rests solely with the Data Controller. Kapture CX supports its customers’ consent management frameworks through appropriate technical and organizational measures, ensuring that processing is limited to the authorized purposes defined by the Controller and that data is securely deleted upon withdrawal of consent or termination of services.

Data Protection for Children

As a Data Processor, Kapture CX does not knowingly collect or process personal data of children below the age threshold prescribed by applicable data protection laws. In instances where its customers, acting as Data Controllers, process personal data relating to minors, Kapture CX performs processing activities only under the Controller’s verified instructions and subject to evidence of valid parental or guardian consent. Enhanced safeguards such as restricted access controls, encryption, and audit logging are implemented to ensure the security and privacy of such data throughout its lifecycle.

Privacy related Communication

For any questions, concerns, or requests related to this Privacy Policy or our data protection practices please feel free to reach out at infosec@kapture.cx

Privacy Policy

At Kapture CX, we recognize that privacy is a cornerstone of customer trust and responsible business operations. This Privacy Policy outlines how we protect and manage personal data entrusted to us by our customers, partners, and stakeholders.

Objective

• The Privacy Policy shall outline the data protection responsibilities of Kapture CX in its role as a data processor.
• In addition, it ensures that all processing activities are carried out in compliance with applicable data protection laws, maintaining transparency, accountability, and security in handling personal data on behalf of data controllers.

Applicability of privacy policy

This policy applies to:

• All employees, agents, subcontractors, or service providers engaged by the Data Processor who have access to or handle Personal Data.
• Internal teams, including but not limited to IT, HR, Legal, Compliance, and Operations, involved in data processing operations under the DPA.
• Any individual or third party acting on behalf of the Data Processor under the Data Controller’s instructions.

Applicable laws and regulations

The applicable laws and regulation shall include Data protection laws and regulations as mentioned above in the Data Processing Agreement.

Role of the organization

• Kapture CX acts strictly as a Data Processor, processing personal data on behalf of and under documented instructions from the Data Controller.
• The Data Processor shall not determine the purposes or means of the processing of personal data.

Privacy principles followed by organization

The Organization commits to the following privacy principles including but not limited to Lawfulness, Fairness, Purpose Limitation, Data Minimization, Accuracy and Accountability.

These principles shall guide all internal data protection activities and are embedded into all processing operations governed by the DPA.

Procedure to establish standards

The Data Processor establishes privacy and security standards by:

• Conducting privacy impact assessments and risk analysis
• Implementing policies in alignment with applicable laws and controller instructions
• Reviewing internal practices periodically to ensure compliance
• Integrating standards with existing quality and security frameworks
• Conducting comprehensive review of its data management policy, ensuring alignment with evolving data security controls and industry standards.

Established security standards

The established security standards shall include but is not limited to compliance of GDPR, ISO 27001, Digital Personal Data Protection Act 2023, Information Technology Act 2000, RBI guidelines and Cert-In Rules.

Data declaration

• The Data Processor declares that it shall only process Personal Data for specified, lawful, and contractually agreed purposes.
• The Processor shall not retain or use the Personal Data for any purpose other than to fulfill its obligations under the DPA.

Privacy disclaimer

• The Data Processor processes Personal Data strictly on behalf of the Data Controller and assumes no responsibility for the legality of the purposes for which the data is collected or used.
• The Controller retains sole responsibility for ensuring that Personal Data provided to the Processor complies with all legal obligations.

Adherence to policies

• Data processor shall agree that individuals engaged by the Data Processor, including employees, contractors, and third party service providers, are required to comply with this Privacy Policy.
• Any failure to comply with the privacy policy shall result in disciplinary action, termination of engagement, and/or legal consequences in accordance with applicable laws and contractual obligations.
• The Data Processor shall conduct periodic audits and compliance assessments to ensure ongoing alignment with privacy and data protection standards.

Assistance with Data Subject Rights

Data Retention Policy

The Data Processor shall retain Personal Data only for as long as necessary to fulfil the obligations under the Data Processing Agreement or as required by applicable law.

Privacy tools training and education

The Data Processor provides ongoing training to personnel involved in data processing activities, including:

• Data protection awareness training
• Use of tools for privacy management, including data mapping, DPIAs, and consent handling
• Incident response simulations
• Guidance on controller specific requirements where applicable.

Review of Privacy Policy

• This Privacy Policy Schedule shall be reviewed annually, or sooner if required due to changes in applicable laws, processing practices, or risks.
• Any updates shall be documented and communicated to the Data Controller for approval or acknowledgment, as applicable.

Privacy policy or Use of Website

This Privacy Policy describes how Kapture CX (“Kapture”, “we”, “our”, “us”) collects, uses, shares, retains, and protects Personal Information in the course of providing our products, services, websites, applications, and related interactions (“Services”).

This Policy applies to:

• Website visitors and individuals interacting with our digital properties
• Users of our SaaS platform and mobile applications
• Customers and their authorized personnel
• Customer end-users, to the extent data is processed on behalf of the Customer
• Partners, suppliers, contractors, and service providers
• Individuals receiving marketing or business communications

Kapture processes Personal Information in accordance with applicable global privacy and data protection regulations, including the GDPR, DPDPA 2023, CCPA/CPRA, ePrivacy Directive, and relevant industry specific requirements.

Collection of Personal Information:

Kapture collects Personal Information through multiple, clearly defined modes:

Website Visitors

We collect information that you voluntarily submit through “Contact Us,” “Request Demo,” or similar forms, along with technical data automatically generated through cookies, log files, and analytics technologies.

Users of our Service

When you authenticate, access, or use our Services, we collect device data, activity logs, usage patterns, and operational metadata required to deliver and improve the platform.

Customer end user data

Kapture processes Customer End User Data strictly in accordance with the Customer’s documented instructions, as defined under the Data Processing Agreement. Kapture does not independently initiate, manage, or validate communications directed by Customers to their end users.

Marketing and Business Development

We may process Personal Information of prospective clients or existing customers to provide product updates, event information, and marketing communications, in compliance with consent and opt out requirements.

Partners, Vendors and Sub contractors

We process Personal Information necessary for onboarding, contractual administration, service delivery, compliance checks, invoicing, and communication.

Third Party or Public Source

We may receive Personal Information from third party partners, publicly available sources, or individuals within your organization who are authorized to share such information with us.

Categories of Personal Information

The categories of Personal Information Kapture processes vary based on your interaction with our Services. Whether you are engaging with our website, accessing our SaaS platform, or corresponding with our support or sales teams, we collect only the information necessary to operate securely, deliver services effectively, and meet regulatory requirements.

Given below are the categories of personal data collected:

Security and Compliance:

Kapture maintains a comprehensive information security and compliance program designed to safeguard the confidentiality, integrity, and availability of all Personal Information processed through our platform.

Our security framework aligns with globally recognized standards and regulatory expectations, including ISO/IEC 27001:2022, ISO/IEC 42001 for AI management, SOC 2 Type II, GDPR privacy-by-design principles, and the requirements of India’s Digital Personal Data Protection Act (DPDPA) 2023, alongside HIPAA-aligned safeguards where applicable.

This program is supported by rigorous administrative, technical, and physical controls such as strong encryption protocols, role-based access governance, continuous network and event monitoring, vulnerability and patch management, secure SDLC practices, supplier and third party risk due diligence, and a documented incident detection and response mechanism.

Kapture conducts ongoing audits, governance reviews, and risk assessments to ensure sustained compliance with regulatory obligations and adherence to industry best practices.

For any security related questions or inquiries, you may contact us at infosec@kapture.cx.

Data Retention:

Kapture retains Personal Information only for the duration necessary to fulfil the purposes for which it was collected, including the provision of our Services, compliance with contractual commitments, and adherence to legal or regulatory requirements. Retention periods differ based on the nature of the data, applicable jurisdictional mandates, statutory limitation periods, and the duration of customer relationships.

We may also retain certain records for audit readiness, dispute resolution, enforcement of agreements, fraud detection, and operational continuity. Once Personal Information is no longer required for these purposes, Kapture securely deletes or irreversibly anonymizes the data in accordance with established disposal procedures and regulatory expectations.

Links to third party websites:

Our website and Services may include links or integrations directing users to external websites or third party platforms. These third party sites operate independently from Kapture, and we do not control, endorse, or assume responsibility for their content, data handling practices, or privacy policies. We strongly recommend that users review the privacy notices of any third party website they visit, as this Privacy Policy applies solely to Personal Information collected or processed by Kapture.

Children’s Privacy:

Kapture does not knowingly collect, process, or solicit Personal Information from individuals under the age of 18. If we become aware that Personal Information belonging to a minor has been collected unintentionally, we will take immediate steps to delete such information in accordance with applicable legal requirements. If you believe that a minor may have provided Personal Information to Kapture, we request that you notify us promptly so that appropriate action can be taken.

You may notify us at infosec@kapture.cx

Update to Privacy policy:

Kapture may amend or update this Privacy Policy periodically to reflect changes in our practices, regulatory developments, or technological advancements. Any modifications will be published on this page with an updated effective date. We encourage users to review the Policy regularly to remain informed of how we protect and process Personal Information. Continued use of our Services following the publication of an updated Privacy Policy will constitute acknowledgment and acceptance of the revised terms.

Cookie Policy

Kapture CX (“we”, “us”, or “our”) is committed to protecting your privacy and ensuring transparency in how we use cookies and similar technologies. This Cookie Policy explains what cookies are, why we use them, what types of cookies we use, and how you can manage or disable them. We have crafted this policy to comply with applicable privacy regulations in the regions we operate, including India’s data protection laws, the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), as well as other relevant jurisdictions. Our goal is to meet or exceed these requirements and provide you with clear information and control over your cookie preferences.

By using our website with cookies enabled in your browser, you acknowledge the practices described in this Cookie Policy

Definition of cookies

For the purposes of this Policy, “cookies” shall mean small data files or identifiers that are transmitted and stored on a User’s device (computer, smartphone, or tablet) through a web browser when visiting or interacting with the Website. Cookies may contain identifiers, session data, or preferences that enable the Website to function properly, enhance security, and improve user experience.

The Company may also employ other tracking technologies such as pixels, tags, SDKs, scripts, beacons, and local storage objects which functionally resemble cookies and are governed by this Policy.

Types of cookies

The Company employs cookies and similar technologies for the following lawful purposes:

Strictly Necessary / Essential Cookies:

To enable core functionalities such as session management, authentication, page navigation, and access to secure areas. These cookies are indispensable for the operation of the Website and are set by default.

Functional Cookies:

Functional cookies allow us to remember your preferences such as language, region, and display settings and maintain a consistent user experience. They support enhanced functionality and personalization. If you choose to disable these cookies, certain features may not operate as intended.

Performance and Analytics Cookies:

These cookies help us understand how users interact with the Website by collecting information such as page visits, time spent, click paths, and technical performance metrics. The insights derived from these cookies assist us in optimizing Website performance, improving content relevance, and ensuring system reliability. All analytics activities are conducted in compliance with applicable privacy laws, and data is processed in aggregated or anonymized form wherever possible.

Advertising and Targeting Cookies:

These cookies enable us and our authorized third party partners to deliver personalized advertisements, assess campaign performance, and prevent repetitive or irrelevant ads. They may track your browsing behavior across websites to provide interest based content. Such cookies are deployed only after obtaining your explicit consent and operate under strict contractual data protection and confidentiality obligations.

Third Party Cookies:

Our Website may integrate services provided by third parties such as customer support chat tools, embedded videos, social media plug-ins, or analytics dashboards which may set cookies on your device. These cookies are governed by the respective third parties’ privacy and cookie policies. We ensure that such integrations are permitted only with vendors who adhere to appropriate security, confidentiality, and data protection standards.

Lawful Basis of Processing

The placement and processing of cookies are undertaken on the following legal bases, as applicable under the GDPR and DPDPA:

Performance of a Contract:

Cookies that are strictly necessary for the functioning of the Website and the delivery of services such as authentication or secure access as requested by the User. The delivery of the service is processed on the basis of contractual necessity. Without these cookies, certain core functionalities may not be available.

Consent:

Non-essential cookies such as analytics, performance, advertising, or personalization cookies are placed only after obtaining the User’s free, specific, informed, and unambiguous consent through our Cookie Banner or Preference Management Center. Users retain the right to withdraw their consent at any time without affecting the lawfulness of prior processing.

Legitimate Interests:

Certain cookies may be processed under our legitimate interests, where such processing is necessary for purposes such as network and information security, fraud detection, service optimization, or aggregated analytics that do not materially impact the rights, freedoms, or reasonable expectations of the User. All legitimate interest assessments are performed in alignment with regulatory expectations.

User Control and Consent

Users shall retain full and continuing control over the activation, deactivation, and management of cookies and similar tracking technologies utilized by the Company.

Except for cookies that are strictly necessary for the technical operation of the Website, the installation of any cookies or comparable identifiers on a User’s device shall be subject to the User’s prior, explicit, and informed consent obtained through a visible cookie banner or preference management interface.

Consent shall be deemed freely given, specific, informed, and unambiguous, and may be withdrawn at any time without prejudice to the lawfulness of processing based on consent prior to its withdrawal. Users may exercise such withdrawal through the Cookie Preference Center available on the Website or by adjusting browser settings to block or delete cookies. Upon withdrawal of consent, all non-essential cookies shall be deactivated, and no further data shall be collected through such technologies.

The Company shall maintain verifiable records of consent as required under applicable data protection regulations and shall ensure that Users are provided with accessible mechanisms to modify or revoke consent at their discretion. Users are hereby notified that disabling or rejecting certain categories of cookies may render portions of the Website inaccessible or may affect functional performance.

The Company shall not condition access to its core services upon the acceptance of non-essential cookies, nor shall it employ dark patterns or coercive mechanisms to obtain consent. All processing activities undertaken through cookies shall strictly adhere to the principles of lawfulness, fairness, transparency, data minimization, and purpose limitation as prescribed under the GDPR, CCPA/CPRA, and the Digital Personal Data Protection Act, 2023.

Contact and further information

For questions or concerns regarding this Cookie Policy or our privacy practices, please contact:

Information Security Office

Email: infosec@kapture.cx

ISO 27001

Kapture CX’s Information Security Management System (ISMS) is designed and operated in alignment with ISO 27001: 2022, the globally recognized standard for establishing, implementing, maintaining, and continuously improving information security controls. This certification demonstrates the company’s commitment to a structured and risk based approach to safeguarding information assets, maintaining confidentiality, integrity, and availability, and fulfilling contractual and legal obligations across jurisdictions.

Governance and Risk Management

Under ISO 27001, Kapture CX implements a formal governance structure that defines accountability for information security at all organizational levels. A dedicated Information Security Team oversees policy approval, risk assessment outcomes, and audit findings. The company conducts periodic risk assessments to identify, evaluate, and treat potential threats. Controls are selected and mapped against Annex A (93 controls), ensuring appropriate mitigation aligned with operational realities and customer requirements.

Policies and Control Implementation

Kapture CX maintains a comprehensive set of information security policies, including Access Control, Asset Management, Cryptography, Supplier Management, and Incident Response. Each policy is reviewed annually or upon significant environmental change. The organization follows the Plan–Do–Check–Act (PDCA) cycle to drive continual improvement, ensuring that its ISMS adapts to evolving business and regulatory demands.

Audits and Continuous Improvement

Internal audits are conducted at least twice a year by certified ISO 27001 auditors, supplemented by an independent external certification audit. Non conformities are tracked in a central register and resolved within defined timelines. The Management Review Meetings evaluate audit results, incident reports, and risk treatment effectiveness to ensure alignment with corporate objectives and stakeholder expectations.

Training and Awareness

All employees and contractors undergo mandatory information security training at onboarding and annually thereafter. Specialized sessions are provided for developers, administrators, and data handlers, focusing on compliance, secure coding, and privacy-by-design principles. Attendance and completion are logged for audit verification.

ISO 27001 compliance reinforces Kapture CX’s position as a trusted SaaS provider with a proactive and documented approach to information security. Through continuous monitoring, internal audits, and leadership oversight, the organization ensures that security controls remain effective, relevant, and aligned with evolving business and regulatory environments.

SOC 2 Compliance

Kapture CX’s information security and data management practices are aligned with the SOC 2 framework. SOC 2 evaluates the design and operational effectiveness of security, availability, processing integrity, confidentiality, and privacy controls collectively known as the Trust Services Criteria. Adherence to SOC 2 ensures that Kapture CX maintains a secure environment for processing client data while offering transparent assurance to customers and auditors.

Governance and Trust service principles

Kapture CX’s SOC 2 program covers all five Trust Service Criteria:

• Security: Protection of systems and data against unauthorized access.
• Availability: Reliable uptime through resilient infrastructure, redundancy, and disaster recovery mechanisms.
• Processing Integrity: Assurance that system operations are complete, accurate, and authorized.
• Confidentiality: Proper classification, storage, and disposal of sensitive information.
• Privacy: Handling of personal data consistent with contractual and legal privacy commitments.

The organization’s Information Security team supervises SOC 2 control design, performance tracking, and remediation. However, the leadership accountability and risk management are embedded through defined control owners and continuous oversight.

Control Implementation and Monitoring

Kapture CX maintains formal policies and procedures mapped to the SOC 2 Trust Service Criteria. Access management, encryption, change control, vulnerability management, and incident response controls are documented and enforced through its Information Security Management System (ISMS).

All activities are logged and monitored through Security Information and Event Management (SIEM) solutions that enable real time detection of suspicious events. Environmental and logical access reviews are conducted quarterly, and any deviations are corrected under management supervision. Audit evidence is maintained in accordance with AICPA requirements to ensure traceability and accuracy.

Auditing and Independent Validation

An accredited independent SOC 2 auditor conducts annual assessments to evaluate the design (Type I) and operational effectiveness (Type II) of Kapture CX’s controls. The auditor performs interviews, system inspections, and documentation reviews to confirm alignment with AICPA’s Trust Service Criteria. Findings and recommendations are documented in a formal SOC 2 report, and the document is shared with clients under a confidentiality agreement. Corrective actions arising from these assessments are tracked within the company’s compliance management system until closure.

Through SOC 2 compliance, Kapture CX assures its customers that operational and technical safeguards are consistently applied and independently verified. The company’s ongoing monitoring, external audits, and executive level oversight reinforce its commitment to secure, available, and reliable service delivery ensuring confidence and accountability across its global client base.

ISO 42001 Compliance

Kapture CX aligns its Artificial Intelligence (AI) governance and ethical management practices with the emerging international standard ISO/IEC 42001:2023. It provides a framework for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS). This standard ensures that AI systems are developed and deployed responsibly, safely, and transparently while maintaining compliance with applicable laws, ethical norms, and customer expectations. Kapture CX’s adoption of ISO 42001 principles demonstrates its proactive approach to AI governance, accountability, and trustworthiness in technology operations.

AI Governance and Accountability

The AI Governance Framework at Kapture CX establishes oversight and responsibility for every stage of the AI lifecycle from design and data collection to model deployment and monitoring. The Information security team reviews all AI use cases to ensure adherence to risk management principles, privacy laws, and ethical standards. Each AI system is evaluated for fairness, bias mitigation, transparency, and explainability.

Risk Management and Ethical Principles

In accordance with ISO 42001 requirements, Kapture CX conducts AI Risk Assessments to identify potential harms, biases, or unintended consequences arising from algorithmic processing. Risks are categorized as operational, ethical, or legal, and corresponding mitigation measures are integrated into system design. The company adheres to the ethical principles of fairness, reliability, non-discrimination, human oversight, and societal benefit. Bias testing frameworks are embedded into model validation pipelines, and results are reviewed by both technical and compliance stakeholders before deployment.

Data Governance and Privacy Integration

AI systems at Kapture CX rely on responsibly sourced and privacy compliant data. All training and inference datasets undergo evaluation under the company’s Data Protection Impact Assessment (DPIA) process, ensuring adherence to GDPR, DPDPA 2023, and ISO 27001 controls. Personal data used for AI models is anonymized, pseudonymized, or aggregated where possible. Data access, sharing, and retention follow defined governance procedures, and all AI driven data processing activities are logged for auditability and regulatory readiness.

Security and Model Integrity Controls

The AI Management System integrates with Kapture CX’s ISMS to ensure protection against model theft and adversarial manipulation. Access to AI model repositories, datasets, and development environments is restricted through Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA). Source code and model weights are version controlled. Continuous monitoring detects anomalies in model performance that could indicate data drift or unauthorized interference.

Transparency, Human Oversight and Continuous Improvement

Kapture CX promotes AI transparency by maintaining documentation on model design, intended use, limitations, and evaluation metrics. Where AI decisions impact users or clients, human oversight mechanisms are incorporated to validate fairness and appropriateness. Feedback loops from audits, customer reviews, and regulatory updates inform the continuous improvement of the AI governance process. The AI Governance Committee periodically reviews policies and adjusts controls to align with evolving international standards and societal expectations.

By implementing practices aligned with ISO/IEC 42001:2023, Kapture CX ensures that AI systems operate ethically, securely, and transparently. This structured approach to AI governance enhances trust, accountability, and compliance reinforcing Kapture CX’s commitment to responsible innovation and adherence to emerging global standards for safe and ethical AI deployment.

GDPR Compliance

Kapture CX is fully committed to upholding the principles of the General Data Protection Regulation (GDPR) (EU) 2016/679. It establishes a comprehensive framework for the protection of personal data and privacy rights of individuals within the European Union. As a data processor serving global clients, Kapture CX ensures that all personal data entrusted to it is handled lawfully, fairly, and transparently. The company’s data protection practices align with GDPR’s core principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability.

Data processing and roles

Kapture CX operates as a data processor for customer data and as a data controller for employee and operational data. The company processes personal data strictly under written instructions from its clients (data controllers) in accordance with Article 28 of the GDPR. Data Processing Agreements (DPAs) define roles, obligations, and technical safeguards for each engagement. Customers retain full ownership and control over their data, while Kapture CX ensures confidentiality, security, and restricted access based on the principle of least privilege.

Lawful Basis and Purpose Limitation

All data collected and processed by Kapture CX is subject to a clearly defined lawful basis such as contractual necessity, legitimate interest, or explicit consent under Articles 6 and 7 of the GDPR. Personal data is processed solely for identified and documented business purposes and is not reused, sold, or disclosed for unrelated objectives. Where Kapture CX supports client operations involving end user data, it ensures that processing activities are limited to what is essential for providing agreed upon services.

Data Subject Rights and Transparency

Kapture CX maintains procedures to facilitate the exercise of data subject rights as set forth in Articles 12–23 of the GDPR. This includes rights to access, rectification, erasure, restriction, data portability, and objection. Requests are verified, logged, and fulfilled within stipulated regulatory timelines in coordination with the client’s data controller teams. The company’s Privacy Notice and client specific data processing agreement clearly outline categories of data processed, processing purposes, retention periods, and contact channels for privacy related inquiries.

Security and Technical Safeguards

In alignment with Article 32, Kapture CX implements appropriate technical and organizational measures to secure personal data. These include AES-256 encryption at rest, TLS 1.2 encryption in transit, multi factor authentication (MFA), and role based access controls (RBAC). Data is stored within geographically compliant data centers, and all third party processors undergo security due diligence through the company’s Third Party Risk Management (TPRM)process.

Incident response procedures ensure prompt identification, containment, and notification of any potential data breach within the timelines mandated by Articles 33 and 34.

Cross Border Data Transfer

In case of International data transfers, Kapture CX ensures compliance with Chapter V of the GDPR. Transfers are executed under Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms approved by the European Commission. Data localization requirements are respected wherever legally mandated, and data is hosted in regions designated by the client’s contractual terms.

Data Protection Officer

A dedicated Data Protection Officer (DPO) oversees GDPR compliance, conducts privacy impact assessments, and reports directly to senior management. Regular audits, policy reviews, and training programs ensure that privacy controls remain current and effective. The company’s Information Security Management System (ISMS) and Data Protection Framework operate in harmony, providing holistic assurance to customers and regulators.

Through adherence to GDPR principles, Kapture CX ensures that all personal data processing activities are lawful, transparent, and secure. The organization’s structured governance, accountability mechanisms, and continuous monitoring reflect its unwavering commitment to protecting individual privacy and maintaining global compliance standards.

Digital Personal Data Protection Act (DPDPA) Compliance

Kapture CX is committed to full compliance with India’s Digital Personal Data Protection Act (DPDPA) 2023, which governs the lawful processing of digital personal data and upholds the privacy rights of individuals ( referred to as Data Principals). As a responsible Data Processor, Kapture CX processes personal data solely under the direction and authorization of its customers (also referred to as Data Fiduciaries) and ensures that all handling of digital personal data complies with principles of legality, transparency, fairness, and security. The company’s internal data protection framework, aligned with ISO 27001 and GDPR, reinforces compliance with the DPDPA’s requirements on purpose limitation, consent management, and accountability.

Roles and Responsibilities

Kapture CX acts as a Data Processor under the DPDPA, processing personal data only on documented instructions from the Data Fiduciary. The company does not determine the purpose or means of processing but ensures that such processing adheres to the highest security standards and contractual commitments. Internal teams, including Information Security, Legal, and Privacy, operate under defined responsibilities to ensure that processing is lawful, limited to authorized purposes, and auditable. In its role as an employer, Kapture CX also acts as a Data Fiduciary for its employee and vendor data and implements safeguards consistent with DPDPA principles.

Consent and Lawful Processing

Kapture CX’s systems and policies are designed to support lawful, consent driven processing in compliance with Sections 4–8 of the DPDPA. Consent is obtained, managed, and withdrawn through explicit, unambiguous means. Where processing is based on deemed consent such as for employment, contractual obligations, or legitimate business interest appropriate notices and data handling transparency are maintained. The company’s Privacy Notice provides clear information about categories of data collected, processing purposes, and retention timelines. Data is never processed for purposes beyond those lawfully authorized by the Data Fiduciary or mandated by law.

Data Subject Rights

Kapture CX supports Data Fiduciaries in facilitating the rights of Data Principals, including rights to access, correction, erasure, grievance redressal, and consent withdrawal. Requests are verified, documented, and fulfilled within prescribed timelines under Section 12 of the Act. The company maintains a Grievance Redressal Mechanism that ensures complaints are acknowledged, investigated, and closed transparently. Dedicated privacy personnel coordinate with Data Fiduciaries to address individual rights in compliance with contractual and legal obligations.

Security, Retention and Breach Management

In alignment with Section 8(5) of the DPDPA, Kapture CX employs appropriate technical and organizational measures to prevent unauthorized access, alteration, or disclosure of personal data. These measures include AES-256 encryption, TLS 1.2+ transmission security, Multi-Factor Authentication (MFA), and regular vulnerability testing. Data retention is governed by the company’s Data Retention and Disposal Policy, ensuring that personal data is retained only as long as necessary for lawful purposes. In the event of a personal data breach, Kapture CX follows a structured Incident Response and Breach Notification Procedure, informing affected parties and the Data Fiduciary in accordance with legal and contractual timelines.

Cross Border Data Transfers

In case the personal data is transferred outside India, Kapture CX ensures compliance with Section 16 of the DPDPA and any associated government notifications. Transfers occur only to jurisdictions approved by the Central Government or under contractual safeguards such as Standard Contractual Clauses (SCCs) or equivalent protections. Data localization preferences are respected when required by client contracts or regulatory mandates.

Accountability and Governance

Kapture CX’s Privacy Governance Framework defines accountability through designated Data Protection and Compliance Officers who oversee DPDPA implementation. The company conducts Privacy Impact Assessments (PIAs)and periodic audits to verify adherence to the Act’s provisions. Regular awareness programs educate employees about DPDPA principles and their individual responsibilities. Documentation of processing activities and audit evidence ensures transparency and demonstrable compliance.

By aligning its privacy operations with the Digital Personal Data Protection Act 2023, Kapture CX ensures that personal data is processed responsibly, lawfully, and securely. The company’s structured controls, governance oversight, and culture of privacy accountability reinforce trust among customers, regulators, and end users demonstrating Kapture CX’s leadership in digital data protection and compliance excellence.

Cert-In Compliance

Kapture CX complies with the directives and guidelines issued by the Indian Computer Emergency Response Team (CERT-In) under the Information Technology Act, 2000 (Section 70B) and the CERT-In Directions 2022. These directives establish mandatory cybersecurity and incident reporting obligations for service providers, intermediaries, and organizations operating digital infrastructure in India. Kapture CX’s compliance framework ensures prompt incident detection, timely reporting, and effective mitigation of cybersecurity threats, thereby contributing to national cyber resilience and protecting customer data across its technology ecosystem.

Incident Reporting and Response Framework

Kapture CX maintains an Incident Response Plan that aligns with CERT-In’s mandated timelines and procedures. The company ensures that all reportable incidents such as unauthorized access, data breaches, system compromises, and denial-of-service attacks are promptly detected, documented, and escalated.

In compliance with CERT-In Direction 6(i), any qualifying incident is reported to CERT-In within six hours of detection, along with all relevant logs, impact details, and mitigation steps. The Security Operations Center (SOC) continuously monitors events across networks, cloud services, and endpoints using Security Information and Event Management (SIEM)tools for real time detection and correlation.

System and Log Retention Requirements

In accordance with CERT-In Direction 6(vi), Kapture CX securely retains ICT system logs for a minimum of 180 days within Indian data centers. These logs include authentication attempts, system access, network traffic, application usage, and administrative actions. Logs are protected against tampering and stored in encrypted form with restricted access. This retention enables forensic analysis, regulatory compliance, and verification of incident timelines during investigations.

Coordination and Lawful Cooperation

Kapture CX cooperates fully with CERT-In, law enforcement agencies, and relevant government authorities in the event of a cybersecurity incident. Designated compliance points of contact (POCs) within the Information Security team are authorized to coordinate directly with CERT-In for information sharing, technical assistance, and incident remediation. All communications and responses follow a documented protocol to ensure traceability, confidentiality, and adherence to regulatory guidelines.

Vulnerability and Threat Management

As part of its proactive compliance posture, Kapture CX regularly monitors CERT-In vulnerability advisories, security bulletins, and threat intelligence alerts. These advisories are integrated into the company’s Vulnerability Management Program, ensuring that relevant patches and countermeasures are deployed in a timely manner. The Information Security team validates compliance through regular audits and maintains records of implementation to demonstrate adherence to CERT-In recommendations.

Vendor and Third Party Compliance

Third party vendors, cloud service providers, and managed security partners working with Kapture CX are contractually required to adhere to CERT-In directions and Indian cybersecurity laws. Vendor compliance is verified through periodic assessments and contractual review. The company ensures that all subprocessors maintain adequate incident reporting mechanisms and log retention practices consistent with regulatory expectations.

Awareness and Training

Kapture CX’s employees, especially those in technical, operations, and incident response roles, undergo CERT-In awareness and cybersecurity training. These programs educate personnel on incident classification criteria, reporting obligations, phishing response, and malware containment procedures. The training ensures readiness and uniformity in handling cybersecurity incidents across teams.

Governance and Continous Improvement

CERT-In compliance is overseen by the Chief Information Security Officer (CISO) and the Information Security team. Regular internal audits assess the effectiveness of incident management controls, reporting timelines, and documentation standards. Lessons learned from incidents and government advisories are integrated into the company’s security and compliance roadmap for continual improvement.

Through adherence to CERT-In Directions 2022, Kapture CX ensures transparency, accountability, and readiness in managing cybersecurity incidents. The organization’s structured monitoring, reporting, and governance practices uphold regulatory compliance, strengthen digital resilience, and reinforce trust among regulators, clients, and stakeholders in India’s cybersecurity ecosystem.

RBI

Master Direction on Outsourcing of IT Services, 2023

Kapture CX aligns its operations with the RBI’s Master Direction on Outsourcing of IT Services. In compliance with these directions, we ensure that:

• Due Diligence: Comprehensive due diligence is conducted on all service providers, subprocessors, and partners prior to engagement, assessing technical capability, financial soundness, data handling practices, and regulatory compliance posture.
• Written Contractual Obligations: All arrangements are governed by formally executed contracts specifying scope, service levels, confidentiality, security obligations, audit rights, incident reporting, and data protection clauses.
• Incident Reporting: Any cybersecurity incident, breach, or material service disruption impacting customer data or regulated functions is promptly reported to clients, and, where applicable, to relevant authorities in accordance with the RBI’s incident reporting timelines.
• Data Localisation: Customer data pertaining to regulated financial institutions is stored and processed only within India, ensuring full compliance with the RBI’s data localisation and cross-border transfer restrictions.

Cyber Security Framework for Banks (2016)

Kapture CX adheres to the principles of the RBI’s Cyber Security Framework to ensure strong security governance across all systems supporting banking clients. We comply with the following key requirements:

• Reasonable Security Practices: We maintain layered security controls aligned with ISO 27001, including access management, vulnerability remediation, encryption, logging, and endpoint protection.
• Cyber Resilience and BCP: A tested Business Continuity and Disaster Recovery (BCP/DR) framework is in place to ensure uninterrupted operations and rapid recovery in case of system failure or incident.
• Periodic Security Audit: Regular internal and independent third party audits are conducted to validate compliance with RBI’s cybersecurity controls and to ensure timely remediation of identified gaps.
• Board-Level Oversight: Information Security is managed under a documented ISMS framework, supported by management accountability and periodic compliance reviews.

IRDAI

Outsourcing of Activities by Indian Insurance Regulations, 2017

For insurance sector clients, Kapture CX ensures compliance with the IRDAI’s outsourcing framework, maintaining transparency, security, and accountability throughout all processing activities. In adherence to these regulations:

• Due Diligence: Rigorous evaluation is conducted before onboarding or renewing any third party to ensure compliance with confidentiality, integrity, and availability obligations.
• Encryption & Confidentiality: All customer and policyholder data is encrypted using enterprise grade standards like AES 256 for data in rest and TLS 1.2 for data in transit during storage and transmission, maintaining confidentiality and preventing unauthorized access.
• Data Localisation: Insurance data is retained and processed within India as required by the IRDAI regulations.
• Contractual Clauses: At Kapture the agreement defines data ownership, security obligations, right to audit, subcontracting restrictions, and clear accountability for breaches or non-compliance.

Information and Cybersecurity Guidelines, 2023

At Kapture CX, we maintain rigorous information and cyber security practices aligned with the Insurance Regulatory and Development Authority of India (IRDAI) Information and Cyber Security Guidelines, 2023. Our governance framework ensures that all data entrusted to us particularly when serving insurance sector clients is protected through robust technical, organizational, and procedural safeguards, ensuring confidentiality, integrity, and availability across all systems and processes.

Governance and Oversight

Kapture CX’s Information Security Management System is overseen by a designated Chief Information Security Officer (CISO) and governed by an internal Information Security Team. This committee includes senior leadership from Legal, Risk, IT, HR, and Compliance to ensure that all cyber risk management, policy updates, and audit findings are reviewed at the highest level. Policies are reviewed annually or upon any regulatory or technological change to maintain full alignment with IRDAI’s requirements for continual oversight and board accountability.

Risk Management and Technology Controls

We conduct periodic Technology Risk Assessments (TRA) and information security risk reviews before onboarding new systems, vendors, or processes. These evaluations identify potential threats, assess impact, and determine necessary controls to mitigate identified risks fully consistent with IRDAI’s prescribed framework for proactive and continuous cyber risk management. Our infrastructure and applications undergo regular Vulnerability Assessments and Penetration Testing (VAPT) to validate the effectiveness of implemented controls and maintain a resilient security posture.

Data Governance and Protection

All information assets, including customer and policyholder data, are categorized in accordance with IRDAI’s standards. These informations are encrypted at rest and in transit using industry standard cryptographic controls, ensuring data is accessed strictly on a need-to-know basis. Data retention, transfer, and destruction are governed by strict lifecycle controls and are periodically audited for compliance.

Access Control and Human Resource Security

Access privileges across all systems are role based, enforced through multi-factor authentication (MFA) and least privilege principles, ensuring traceability and accountability for all users. Background verification, confidentiality undertakings, and security awareness training are mandated for all employees and contractors, reinforcing IRDAI’s emphasis on a human centric security culture.

Incident Response and Business Continuity

Kapture CX maintains a documented Incident Management and Cyber Resilience Plan, enabling real time detection, investigation, and reporting of security incidents to clients and regulators as required under IRDAI and CERT-In directions. Business Continuity and Disaster Recovery (BCP/DR) mechanisms are tested regularly to ensure uninterrupted service delivery and swift recovery in the event of a cyber disruption.

Third Party and Cloud Security

All vendors and cloud service providers undergo due diligence and security assessments consistent with IRDAI’s third party management requirements. Contracts incorporate obligations on confidentiality, encryption, incident reporting, and data localization in India. Cloud environments are secured through continuous monitoring, audit logging, and encryption under ISO 27001 and IRDAI aligned controls.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”)

Kapture CX complies with the obligations set out under Rule 8 of the SPDI Rules, ensuring appropriate organizational and technical safeguards for personal and sensitive personal data. We ensure the following:

• Reasonable Security Practices: Our Information Security Management System is designed in accordance with ISO 27001:2022, establishing clear controls for access management, encryption, retention, and deletion.
• Data Protection Procedures: In our organization Personal data is processed only for lawful and authorized purposes, with clear consent and accountability mechanisms in place.
• Incident Response: At Kapture, any unauthorized access, disclosure, alteration, or loss of personal data triggers an immediate investigation and notification in accordance with the company’s breach management procedure.
• Training and Awareness: We also train our employees periodically on SPDI compliance obligations, confidentiality, and secure handling of sensitive personal data.

Cybersecurity and Cyber resilience Framework (CSCRF)–SEBI

At Kapture CX, we uphold the highest standards of cybersecurity and regulatory governance as prescribed by the Securities and Exchange Board of India (SEBI) under its Cybersecurity and Cyber Resilience Framework (CSCRF 2024). Our security program aligns with the five foundational resiliency goals defined in the framework Anticipate, Withstand, Contain, Recover, and Evolve ensuring that our systems remain secure, resilient, and compliant across all stages of operation.

Governance and Risk Management

Kapture CX maintains a Board approved Cybersecurity and Cyber Resilience Policy that clearly defines organizational responsibilities, risk ownership, and escalation mechanisms. We have implemented a Cyber Risk Management Framework consistent with SEBI’s requirements for Regulated Entities, addressing identification, assessment, evaluation, prioritization, and continuous monitoring of cyber risks. Our governance approach ensures end to end accountability for data integrity, confidentiality, availability, and compliance with Indian and international regulations.

Compliance with International Standards

The CSCRF references globally recognized standards such as ISO 27001 and NIST 800-53. Kapture CX’s Information Security Management System is built around these standards, enforcing a structured approach to security controls, access management, incident response, and data protection. Periodic audits are conducted by CERT-In empanelled auditors to verify our compliance and effectiveness of controls, and Vulnerability Assessment and Penetration Testing (VAPT) is performed to ensure robust protection of critical systems and infrastructure

Data Security and Localization

In alignment with SEBI’s requirements for data classification and localization, Kapture CX ensures that Regulatory Data and customer information are stored and processed within the legal boundaries of India. We implement Full-Disk and File-Based Encryption, network segmentation, and access controls based on the Principle of Least Privilege. Comprehensive logging, monitoring, and data retention measures protect sensitive information and meet obligations under SPDI Rules and the Information Technology Act, 2000.

Security Operations and Monitoring

Kapture CX operates a dedicated Security Operations Center (SOC) for real time monitoring of security events and threat detections as mandated under the CSCRF. Our SOC uses advanced threat intelligence, automated alerting, and incident correlation to ensure rapid response to cyber events. Functional efficacy assessments and red-team exercises are carried out periodically to test the resilience of our defenses and improve our average Time to Detect and Respond.

Incident Response and Business Continuity

Our Incident Response Plan ensures timely containment and recovery from cybersecurity events. We conduct Root Cause Analysis and forensic investigations to prevent recurrence and continuously enhance our processes. Disaster Recovery and Business Continuity plans are regularly tested to guarantee minimal service disruption and rapid system restoration.

Third Party Security

Recognizing the importance of vendor security, Kapture CX follows strict Cybersecurity Third Party Risk Management standards to evaluate and monitor third party service providers. Our contracts mandate security requirements consistent with SEBI and CERT-In guidelines, ensuring end-to-end protection of customer data throughout the ecosystem.

Continuous Improvement and Evolving Controls

True to SEBI’s “Evolve” principle, Kapture CX adopts an adaptive security strategy that integrates lessons from threat intelligence and audits into its operations. We continuously enhance our controls to counter emerging risks including API vulnerabilities, and AI-driven attacks, ensuring our security practices stay future ready and aligned with national and global best practices.