Security Policy

At DishaFLEX, we take the security and confidentiality of our clients’ data seriously. This Security Policy describes the technical and organizational measures we apply to protect information processed through our digital PoSH awareness and compliance platform.

1. Scope

This policy applies to the DishaFLEX website, learning platform, and supporting services used to deliver PoSH awareness and compliance training for employees, managers, leaders and Internal Committee members. It covers client organization data, user account information, training records, and related system metadata.

2. Data Protection Principles

We follow a principle-based approach to security and privacy:

• Confidentiality: Only authorized users and systems can access client data.
• Integrity: Data is protected against unauthorized modification or deletion.
• Availability: The platform is designed to be reliable and resilient.
• Least privilege: Access is granted only where it is required for a role.

3. Infrastructure and Hosting

DishaFLEX is hosted on reputable cloud infrastructure providers that implement strong physical, environmental and network security controls. Production systems are separated logically from development and test environments, and access is restricted to authorized operations personnel.

4. Encryption

• In transit: All communication between user devices and our platform is protected using HTTPS with modern TLS configurations.
• At rest: Databases and storage volumes containing client data are encrypted at rest using industry-standard encryption algorithms.

5. Access Control and Authentication

Access to administrative and production systems is restricted based on role and job function. We use strong authentication, unique accounts, and access reviews to ensure that only authorized personnel can administer client environments.

Within the platform, client organizations can configure role-based access for their own users (for example, administrators, HR, managers, IC members and learners) so that each group only sees what they need to perform their duties.

6. Logging and Monitoring

The platform maintains logs for key system events to support troubleshooting, performance monitoring, and security review. Suspicious activities or repeated failed access attempts may trigger alerts and further investigation.

7. Backups and Business Continuity

Data is backed up regularly to secure storage. We design for resilience and recovery so that services can be restored in a reasonable timeframe in the event of infrastructure failure or incident, subject to our contractual commitments.

8. Third-Party Service Providers

When we use third-party providers (for example, cloud hosting, email, analytics or communication tools), they are selected based on their security posture and are bound by appropriate contractual and data protection obligations. We do not permit them to use client data for their own independent purposes.

9. Incident Response

If we become aware of a security incident that affects client data, we will investigate, mitigate the impact, and, where required by law or contract, notify affected clients without undue delay, sharing relevant information and recommended next steps.

10. Client Responsibilities

While we provide a secure platform, client organizations are responsible for:

• Managing access for their own users and administrators.
• Protecting login credentials and devices used to access the platform.
• Defining and enforcing internal policies aligned with their legal and regulatory obligations.

11. Changes to This Security Policy

We may update this Security Policy from time to time to reflect changes in our practices, infrastructure or applicable regulations. The most current version will always be available on this page with an updated “Last updated” date.

12. Contact

If you have questions about our security practices, please contact:
Email: connect@dishaflex.com