Data Breach Notification Policy

1. Purpose and Scope

This policy describes our approach to detecting, investigating, and notifying stakeholders of personal data incidents that affect the Ostaagar platform.

2. Detection Process

• Continuous security monitoring for suspicious activity and anomalous access patterns.
• Automated alerts for unauthorized access, data transfers, or unusual system behavior.
• Investigation by our security team to confirm whether an incident constitutes a data breach.

3. User Notification Process

In the event of a confirmed data breach, we notify affected users promptly and transparently.

• Initial acknowledgement within 7 business days of confirmation.
• Clear explanation of the incident, affected data, and protective steps.
• Instructions on actions users should take to protect their accounts and information.

4. Internal Response Workflow

• Secure the affected systems and contain the breach.
• Identify the root cause and impacted data sets.
• Engage our internal incident response team to restore security.
• Review controls and implement remediation to prevent future incidents.

5. Regulatory Compliance

We comply with India's DPDP Act 2023 and other applicable laws when notifying authorities, users, and affected parties.

• Maintain incident documentation and audit logs for at least 5 years.
• Notify regulators and affected individuals as required by law.
• Work with external security experts when necessary to validate response actions.

6. Grievance and Reporting

If you have questions or wish to report a suspected breach, contact our Grievance Officer at grievance@ostaagar.com.