1. Purpose
This Data Protection and Security Policy (“Policy”) sets out the commitment and approach of C-Quel
Management Services Private Limited (“C-Quel”, “we”, “us”, or “our”) towards the protection, security,
and responsible management of data, including personal data, collected, stored, and processed
through the Website www.cquel.com and in the course of providing our services.
This Policy is framed in accordance with the Information Technology Act, 2000, the Information
Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information) Rules, 2011, the Digital Personal Data Protection Act, 2023, and any other applicable
laws and regulations.

2. Scope
This Policy applies to all personal data and sensitive personal data or information (as defined under
applicable law) collected through the Website, including data provided by visitors, prospective clients,
and existing clients through contact forms, enquiry submissions, or any other interactive feature on
the Website.

3. Principles of Data Protection
C-Quel adheres to the following principles in the handling of personal data:
• Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a
transparent manner;
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes
and not further processed in a manner incompatible with those purposes;
• Data Minimisation: Only personal data that is adequate, relevant, and necessary for the
identified purpose is collected;
• Accuracy: Reasonable efforts are made to ensure that personal data is accurate and, where
necessary, kept up to date;
• Storage Limitation: Personal data is retained only for as long as necessary for the purpose
for which it was collected or as required by law;
• Integrity and Confidentiality: Appropriate technical and organisational measures are
implemented to protect personal data against unauthorised access, loss, destruction, or
damage.

4. Technical Security Measures
C-Quel implements the following technical and organisational security measures to protect data:
4.1 Website Security
• SSL/TLS encryption for data transmitted between users and the Website; 

Regular security updates and patches for website infrastructure;
• Hosting on secured servers with access controls and firewalls;
• Protection against common web vulnerabilities including SQL injection, cross-site scripting
(XSS), and cross-site request forgery (CSRF).
4.2 Access Controls
• Role-based access controls ensuring that personal data is accessible only to authorised
personnel on a need-to-know basis;
• Strong password policies and multi-factor authentication for administrative access;
• Regular review and audit of access privileges.
4.3 Data Storage and Backup
• Personal data is stored on secure servers with appropriate encryption;
• Regular data backups are maintained to prevent data loss;
• Data is stored within India unless otherwise permitted under the DPDP Act.

5. Incident Response
In the event of a personal data breach, C-Quel shall:
• Take immediate steps to contain the breach and minimise its impact;
• Conduct an investigation to assess the scope and severity of the breach;
• Notify the Data Protection Board of India and affected Data Principals in accordance with the
timelines and procedures prescribed under the DPDP Act;
• Document the breach and the remedial actions taken;
• Implement corrective measures to prevent recurrence.

6. Third-Party Processors
Where C-Quel engages third-party service providers who process personal data on its behalf (e.g.,
website hosting providers, analytics services), C-Quel ensures that such processors implement
appropriate security measures and are bound by contractual obligations to process data only in
accordance with C-Quel’s instructions and applicable law.

7. Data Retention and Disposal
Personal data collected through the Website is retained only for the period necessary to fulfil the
purpose for which it was collected. Upon expiry of the retention period or upon withdrawal of consent
(where applicable), personal data shall be securely deleted or anonymised using appropriate methods
that prevent recovery or reconstruction of the data.

8. Employee Awareness and Training

C-Quel ensures that all employees and personnel who handle personal data are made aware of their
responsibilities under this Policy and applicable data protection laws. Appropriate training is provided
to ensure compliance with data protection principles and security practices.

9. Compliance and Review
This Policy is subject to periodic review and may be updated from time to time to reflect changes in
applicable law, regulatory requirements, or C-Quel’s data processing practices. C-Quel is committed
to maintaining compliance with all applicable data protection laws, including the DPDP Act and any
rules or regulations notified thereunder.

10. Contact
For any questions, concerns, or requests related to this Policy or C-Quel’s data protection practices,
please contact:
Designated Officer: Riddhiman Sarkar | Chief Legal Officer

Email: rs@cquel.com