Rev	Date DD/MM/YY	WRITTEN BY	CHECKED BY	APPROVED BY	STATUS
0.1	25/08/2025	Mohd Amanullah	Syed Shahroz Ali	Tausif Ahmed	Draft Release
1.1	25/08/2025	Mohd Amanullah	Syed Shahroz Ali	Tausif Ahmed	Reviewed

1. Introduction

1.1. Intent

Legal & Compliance Policy is an essential prerequisite to sound Information Security Management. The purpose of this policy is to clearly illustrate that Purplecop (Henceforth referred to as the organization) intends to fully comply with the applicable legal, regulatory and contractual requirements that affect the organization’s activities.

1.2. Scope

This policy applies to all individuals who access, use or control the organization owned resources. This includes but is not limited to the organization’s employees, contractors, consultants, and other workers including all personnel affiliated to external organizations with access to the organization’s network.

The term employee(s), its synonyms (staff, personnel etc.) and vice versa hereafter encompasses the scope denied in the paragraph above.

2. Policy

2.1. Compliance with Legal and Contractual Requirements

2.1.1. Identification of Applicable Legislation and Contractual Requirements

Information Technology Act, 2000: This act governs various aspects of electronic commerce, digital signatures, cybersecurity, and data protection in India.

Amendment in 2008: This was a major revision to the IT Act, primarily to strengthen cybersecurity provisions and to provide legal recognition to electronic signatures and documents. 2008 amendment include:

Introduction of Sections 66A, 66B, 66C, and 66D to address various cybercrimes such as cyberbullying, online fraud, identity theft, and hacking.
Provision for the establishment of the Cyber Appellate Tribunal (CyAT) to handle appeals against adjudicating officers' decisions.
Introduction of the concept of "intermediaries" and their liability in cases of unlawful content hosted on their platforms.
Enhancement of penalties for cyber offenses.

Amendment in 2013: This amendment primarily addressed concerns related to online speech and intermediary liability.

Repeal of Section 66A, which had been criticized for its potential misuse to curb free speech.
Introduction of Section 66A (1), which dealt with the punishment for sending offensive messages through communication services.
Clarification of intermediary liability and due diligence requirements for online platforms.

POSH Act, 2013: This act to provide protection against sexual harassment of women at workplace and for the prevention and redressal of complaints of sexual harassment and for matters connected therewith or incidental thereto.
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: These rules provide guidelines for the protection of sensitive personal data or information.
Indian Computer Emergency Response Team (CERT-In) guidelines: Guidance and requirements issued by CERT-In should be considered for enhancing cybersecurity posture.
https://www.cert-in.org.in/SecurityIncident.jsp
https://www.cert-in.org.in/RVDCP.jsp
Personal Data Protection Bill (PDPB), 2019: Once enacted, this bill will regulate the processing of personal data and impose obligations on data fiduciaries and data processors.
General Data Protection Regulation (GDPR): Although an EU regulation, GDPR may apply to Indian companies if they handle personal data of EU residents.
Customer Contracts: Review contracts with customers to identify any specific data security or privacy obligations, including data processing agreements.
Third-Party Contracts: Assess agreements with vendors, suppliers, and service providers to ensure compliance with information security and data protection requirements.

2.1.2. Intellectual Property Rights

All the copyrighted information of the organization shall be used only for business purposes.
Strict action shall be taken against those who misuse the organization copyrighted material as per the Disciplinary Process identified by the Human Resource Department.
Licensing/ copyright requirements for all information assets including proprietary software application systems, which typically limit the use of application to specified machines; or creation of the backup copies, shall be adhered to. Following controls shall be enforced:
- Awareness shall be maintained among the staff for using only legal copies of software.
- Breach of ISMS policies may lead to disciplinary action.
- Usage of licenses shall be monitored and controls shall be implemented to ensure usage is as per license agreement/s.
- Regular checks shall be carried out to ensure that only authorized software and licensed products are installed.

2.1.3. Protection of Records

Organizational records shall be classified, stored, protected, and destroyed (after the retention period) in accordance with asset classification and requirements of the applicable laws and regulations.
Records shall also be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

2.1.4. Privacy and Protection of Personally Identifiable Information

The organizations shall has implemented controls for collecting, processing, and disseminating employee personal information. Data protection and privacy shall ensure compliance with all relevant legislation, regulations, and, if applicable, contractual clauses.

2.2. Information Security Reviews

2.2.1. Independent Review of Information Security

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at periodically or when significant changes occur.

2.2.2. Compliance with Security Policies and Standards

Managers/ Department Heads/ Business Unit Heads/ authorized designate/ Information Security Committee shall regularly review the compliance of information processing and procedures within their area of responsibility against the appropriate security policies, standards and any other security requirements.

2.2.3. Technical Compliance Review

Technical compliance check shall be regularly carried out, including examination of operational systems to ensure that hardware and software controls have been correctly implemented.
Information Systems shall be regularly reviewed for compliance with the ISMS Information Security Policies.
The organization Chief Information Security Officer (CISO) along with the Information Security Committee shall develop and execute technical compliance and shall define scope and frequency of review.

3. Compliance

All members of staff and users of the organization owned resources must comply with this policy/ procedure. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, in keeping with HR Code of Conduct Policy.

The following processes are utilized to enforce compliance with this policy/ procedure and supporting standards:-

Monitoring: The company employs appropriate technology solutions to monitor policy/ procedure compliance.
Self-Assessment: Managers and Department Heads are required to conduct self-assessment within their areas of control to verify compliance to this policy/ procedure.
Security Audits: Internal Audit may assess the implementation of and compliance with this policy/ procedure as part of its audit program.

3.1. Special Circumstances and Exceptions

All exceptions to this policy/ procedure will require a waiver explicitly approved by the organization’s Chief Information Security Officer (CISO).

LEGAL & COMPLIANCE POLICY

Copyright Notice:

Revision History