List of active policies

Full policy

IT Security Policy — Version 1.7 | February 2026

Document ID: ITSECU-POL-17 | ISO 27001:2022 Compliant | Approved By: Jagan Jami (CISO)

5. Purpose

This policy establishes the information security requirements for all IT systems, networks, and data managed by Acuvate Software Pvt. Ltd. It defines the security controls, acceptable use standards, and responsibilities to protect the confidentiality, integrity, and availability of information assets in accordance with ISO/IEC 27001:2022.

6. Scope

This policy applies to all employees (full-time, part-time, contract), third-party vendors, and any individual accessing Acuvate's IT infrastructure, systems, and data across Hyderabad and UK locations.

8. Disciplinary Action

Violation of the standards, policies, and procedures in this document by an employee will result in disciplinary action, including but not limited to warnings, reprimands, and termination of employment. Claims of ignorance, good intentions, or poor judgment will not be accepted as excuses for non-compliance.

9. Information Security Policy

All employees handling sensitive data must:

• Handle company and customer information per its sensitivity classification; limit personal use of company systems
• Not use email, internet, or company resources for offensive, threatening, discriminatory, or illegal activities
• Not disclose personnel information unless authorized
• Protect sensitive customer information at all times
• Keep passwords and accounts secure
• Not install unauthorized software or hardware without explicit management approval
• Maintain clean desks and lock screens when unattended
• Report any security concerns or incidents to the IT department immediately

5.4 System and Password Policy

• Minimum 8 characters with mixed case, digits, and special characters
• Multi-Factor Authentication (MFA) enforced for all critical systems and cloud services
• Passwords changed quarterly; previous passwords cannot be repeated
• Account lockout after 5 unsuccessful attempts for minimum 30 minutes
• Terminated user IDs deactivated within 24 hours of offboarding
• No shared, group, or generic accounts for system administration

5.7 Remote Access Policy

Remote access is strictly controlled through VPN with MFA. Remote sessions disconnect after 30 minutes of inactivity. Vendor remote accounts are enabled only during required access periods and disabled immediately after.

13. Incident Management

All security incidents must be reported to the IT team and project hierarchy immediately. Compromised machines are isolated, scanned, patched, and data backed up.

Next Review Date: 25-02-2027 | Owner: IT Department / ISMS Team

Full policy

Physical Security Policy — Version 1.7 | February 2026

Document ID: PHYSICAL-17 | ISO 27001:2022 Compliant | Approved By: Jagan Jami (CISO)

5. Purpose

To ensure proper physical access security for all premises, work areas, and server rooms at Acuvate Software Pvt. Ltd. through biometric/facial recognition access controls and monitoring systems.

6. Scope

Applies to all employees, contractors, visitors, and vendor personnel accessing Acuvate premises at Hyderabad and UK locations.

7. Access Control Zones

• IT Team: Access to all areas including biometric devices, server room, and network infrastructure
• Facility Team: Access to main door IN/OUT and server room
• All Other Teams: Access to main door IN/OUT only (general work area access)

8. Access Control Mechanisms

• 24x7 security guard at building entrance
• Facial recognition / biometric access for operations floor
• CCTV monitoring at all entrances with 30-day footage retention
• Visitor escort policy enforced; all visitors sign entry register
• Server room requires separate biometric authentication

9. Access Lifecycle

• New employee access provisioned upon HR confirmation
• Access reviewed periodically; unused access revoked
• Terminated employee access removed on last working day

10. Responsibilities

IT Department Head maintains biometric systems and this policy. Facility team maintains physical security infrastructure. Reviews conducted twice yearly.

Next Review Date: 25-02-2027 | Owner: IT Department / ISMS Team

Full policy

Policy for Prevention of Sexual Harassment (POSH) — Version 3.0 | February 2026

Document ID: POSH-30 | Approved By: Jagan Jami (CISO) | Owner: HR Department

5. Purpose

At Acuvate, we are committed to providing a safe, secure, and inclusive work environment that is free from sexual harassment, intimidation, and exploitation. This policy is formulated in accordance with the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013.

6. Applicability

This policy applies to:

• All employees (permanent, contract, interns, trainees, third-party staff)
• Vendors, consultants, and visitors at Acuvate premises
• Employees working remotely or at client locations
• Virtual workspaces, travel assignments, company-sponsored events

8. Policy Guidelines

• Every employee bears a personal responsibility to uphold a respectful and harassment-free environment
• Unwelcome behaviour, even in the form of jokes, compliments, memes, messages, or body language, may be deemed harassment regardless of intent
• Power dynamics (manager/reportee or client/vendor relationships) do not absolve inappropriate conduct
• This policy shall be gender-neutral, but its legal base is in protecting women under the POSH Act

9. Internal Complaints Committee (ICC)

POSH Complaints Email: poshdesk@acuvate.com | SHe-Box: https://shebox.nic.in

10. Complaint Filing Procedure

• Complaints must be submitted in writing within 3 months of the last incident to poshdesk@acuvate.com
• Assistance in writing the complaint shall be provided upon request
• Anonymous complaints may not be taken up formally unless supported by credible preliminary evidence

12. Disciplinary Actions

If allegations are proven, actions may include: warning, written apology, denial of promotion/increment, transfer, suspension, termination, or legal action as per IPC or IT Act.

16. Confidentiality

Identity of complainant, respondent, witnesses, and all inquiry information must not be disclosed to anyone not involved in the proceedings. Breach of confidentiality will result in disciplinary action.

19. Contact and Escalation

• POSH Complaints: poshdesk@acuvate.com
• ICC Presiding Officer: Poonam Chug (VP-Business Unit Head)
• ISMS Manager: Jithendar Golada
• SHe-Box Portal: https://shebox.nic.in

Next Review Date: 25-02-2027 | Owner: HR Department

Full policy

Secure SDLC Policy — Version 1.7 | February 2026

Document ID: SSDLC-17 | ISO 27001:2022 Compliant | Approved By: Jagan Jami (CISO)

5. Purpose

The purpose of this policy is to ensure a secure environment throughout the development process and to ensure that Information Security requirements are addressed in all phases of software delivery and project management.

6. Scope

This policy applies to all employees, contractors, and consultants involved in the development of application software for Acuvate and its customers, covering all development activities on Acuvate infrastructure, client infrastructure (VDI/VPN), or cloud-based environments.

7. Roles and Responsibilities

• Project Manager — Ensure SDLC policy adherence; approve change requests and deployment plans
• Development Team — Follow secure coding practices; participate in code reviews; complete secure coding training
• QA/Testing Team — Execute security test cases; validate VAPT remediation; maintain test evidence
• IT Security / ISMS Manager — Define security requirements; review VAPT reports; approve exceptions
• CISO — Approve policy exceptions; final authority on security risk acceptance

9. Design and Development

• Peer review approval is mandatory before any merge to main/release branches
• Source code shall be stored in approved repositories only (Azure DevOps, GitHub, or client-specified)
• No developer shall have direct commit access to main/production branches without peer review approval
• Production data must not be used in test/development environments without masking

10. System Acceptance Testing

• Application security testing (VAPT) shall be carried out against OWASP Top 10 (2021) before deployment
• All Critical and High vulnerabilities shall be closed prior to deployment
• VAPT reports shall be reviewed by the ISMS Manager within 5 working days of receipt

11. AI-Assisted Development Guidelines

• AI-generated code shall undergo the same peer review and security review as human-written code
• Developers shall not input client confidential data, production credentials, API keys, or PII into AI tools
• AI tool usage shall comply with client contractual requirements

12. Secure Coding Training

• All development team members shall complete secure coding training at least every 6 months
• Training covers OWASP Top 10 (2021), secure authentication, input validation, encryption, and secure API design
• New developers/contractors shall complete training within 30 days of onboarding

Next Review Date: 25-02-2027 | Owner: Projects / IT Department