COOKIESSPACE - SECURITY POLICY

Version:

2025.1

Issued By:

CookiesSpace Private Limited

Effective Date:

01/01/26

Approved By:

Chief Information Security Officer (CISO)

1. PURPOSE

This Security Policy establishes the technical, operational, and organizational security controls implemented by CookiesSpace Pvt Ltd (“CookiesSpace”) to ensure confidentiality, integrity, and availability of data processed or stored within our cloud infrastructure and platform services.

2. SCOPE

This policy applies to:

  • All CookiesSpace IaaS and PaaS environments
  • All internal corporate systems
  • All employees, contractors, partners, and sub-processors
  • All customer data and personal data
  • All physical and logical infrastructure (India & global regions)

3. SECURITY OBJECTIVES

CookiesSpace maintains a security framework that ensures:

  1. Confidentiality – Data is accessible only to authorized users.
  2. Integrity – Data remains accurate, complete, and untampered.
  3. Availability – Systems and data are available as per SLAs.
  4. Compliance – Meets Indian and international regulatory standards.
  5. Resilience – Ability to withstand cyber security threats and failures.

4. GOVERNANCE & RESPONSIBILITIES

4.1 Executive Oversight

Security is overseen by:

  • Chief Information Security Officer (CISO)
  • Security Operations Center (SOC Team)
  • Data Protection Officer (DPO)
  • Incident Response Team (IRT)
  • Compliance & Audit Teams ( External reputed partners (Under strict NDA))

4.2 Employee Responsibilities

All employees must:

  • Complete annual security training
  • Use company-authorized systems only
  • Follow access control policies
  • Immediately report suspicious activity
  • Sign confidentiality and acceptable use agreements

5. RISK MANAGEMENT

CookiesSpace operates a formal Risk Management Program with:

  • Annual risk assessments
  • Threat modelling
  • Vulnerability scanning
  • Penetration testing (Done by reputed independent Cyber security Specialists)
  • Supply-chain/security vendor risk assessments
  • Regular review of emerging threats

6. ACCESS CONTROL

6.1 Identity & Authentication

  • Mandatory MFA for all admin and console access
  • Strict password policies with rotation
  • Role-Based Access Control (RBAC)
  • Least Privilege enforcement
  • Just-In-Time (JIT) privileged access where applicable

6.2 User Access Reviews

  • Quarterly access audits
  • Immediate revocation upon employee exit
  • Segregation of duties enforced

7. DATA SECURITY

7.1 Encryption

  • Encryption at Rest: AES-256 or industry equivalent
  • Encryption in Transit: TLS 1.2+
  • Encryption Keys: Managed by secure KMS (Key Management Service)

7.2 Data Classification

Data categorized as:

  • Public
  • Internal
  • Confidential
  • Restricted (personal and sensitive personal data)

7.3 Data Minimization

Personal data is collected and stored only as necessary.

7.4 Data Retention & Disposal

  • Follows CookiesSpace Data Retention Policy as per CERT-in and DPDP standards
  • Secure destruction based on DPDP standards and many standards inspired and replicated from NIST SP 800-8

8. NETWORK SECURITY

8.1 Infrastructure Controls

  • Firewalls and network segmentation
  • Zero-trust network architecture
  • DDoS mitigation systems
  • WAF (Web Application Firewall) for public endpoints
  • Secure API gateways

8.2 Monitoring & Logging

  • Centralized SIEM for log ingestion
  • Real-time threat detection
  • 24×7 SOC operations
  • Logs retained minimum 180 days (CERT-In requirement)

9. APPLICATION SECURITY

9.1 Secure Development Lifecycle (SDLC)

  • OWASP Top 10 compliance
  • Static and dynamic code analysis
  • Secure code reviews
  • Dependency vulnerability scanning

9.2 API Security

  • Token-based authentication (JWT/OAuth2)
  • Rate limiting & throttling
  • Input validation and sanitization

10. INFRASTRUCTURE SECURITY

10.1 Virtualization & Compute Security

  • Hypervisor-level hardening
  • Tenant isolation
  • VM introspection monitoring

10.2 Container Security (if applicable)

  • Image scanning
  • Runtime security policies
  • Container orchestration RBAC

10.3 Storage Security

  • Immutable backups for critical systems
  • Redundant replication
  • Preventing public bucket exposure

11. PHYSICAL SECURITY

CookiesSpace is a Tier III data center with:

  • 24/7 security personnel
  • Multi-factor physical access
  • CCTV surveillance (90–180 days retention)
  • Biometric access controls
  • Power redundancy & cooling systems
  • Fire suppression systems

Only authorized personnel are granted entry on a need-to-access basis.

12. INCIDENT RESPONSE & BREACH HANDLING

CookiesSpace maintains a formal Incident Response Plan (IRP) including:

  • 24/7 breach detection
  • Containment and eradication measures
  • Forensic investigation
  • CERT-In 6-hour mandatory reporting
  • Notification to Customers and Data Protection Board (DPB)
  • Post-incident reviews and corrective action

13. VULNERABILITY MANAGEMENT

13.1 Regular Activities

  • Weekly automated vulnerability scans
  • Monthly patch cycles
  • Urgent fixes for critical CVEs (48 hours)
  • Penetration tests twice annually

13.2 Responsible Disclosure Program

Security researchers may report vulnerabilities to:

mail-iconsecurity@cookiesspace.com

14. BUSINESS CONTINUITY & DISASTER RECOVERY

  • Multi-region failover capabilities
  • Regular DR drills
  • Redundant networking & power
  • Automated backups and tested restore processes
  • RTO and RPO targets defined per service tier

15. SUB-PROCESSOR SECURITY

CookiesSpace ensures:

  • Formal vendor security assessments
  • DPDP-compliant contracts
  • Data localization or lawful cross-border safeguards
  • Equivalent or stricter security controls at all sub-processors

A Sub-Processor List is maintained and published as required.

16. COMPLIANCE

CookiesSpace complies with:

  • Digital Personal Data Protection Act (DPDP Act)
  • CERT-In Directions
  • IT Act 2000
  • Consumer Protection Act 2019
  • Contract Act 1872
  • Security frameworks: SOC 2 (industry aligned)

17. SECURITY TRAINING & AWARENESS

  • Mandatory annual cyber security training
  • Advanced training for privileged roles
  • Phishing simulation campaigns
  • Incident-response table top exercises

18. POLICY REVIEW & VERSION CONTROL

This Security Policy is reviewed:

  • Annually
  • After major regulatory changes
  • After any significant security incident
  • Upon major operational or architectural change

19. CONTACT

For questions, disclosures, or incident reports:

mail-iconsecurity@cookiesspace.com
mail-iconprivacy@cookiesspace.com
mail-iconcompliance@cookiesspace.com
location-iconCookiesSpace Pvt Ltd, Nagercoil, Tamil Nadu, India