Data Security, Data Breach and Retention Policy

CONFIDENTIAL

Version 1.0•Last Updated: 06-Feb-2026•Effective: 06-Feb-2026

Platform Name	Gulf Return
Policy Owner	Data Protection Officer Gulf Return
Approved By	Board of Directors / Management Committee
Applicable Laws	Digital Personal Data Protection Act, 2023, Digital Personal Data Protection Rules, 2025, Information Technology Act, 2000, IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, CERT-In Directions dated 28th April 2022, IT (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

1. INTRODUCTION AND PURPOSE

1.1 Background

Gulf Return managed by Sheruh (hereinafter referred to as the "Company" or "Platform") operates a job and social networking platform that facilitates professional connections, employment opportunities, and career development for users across India and worldwide. The Company recognises its responsibility as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and is committed to protecting the privacy and security of all personal data entrusted to it.

1.2 Purpose of this Policy

The purpose of this Data Security, Data Breach, and Retention Policy is to:

Establish comprehensive security measures for protecting personal data in accordance with the DPDP Act, 2023 and DPDP Rules, 2025.
Define procedures for identifying, reporting, and responding to personal data breaches within the statutory timelines.
Set out data retention periods and erasure protocols compliant with legal requirements.
Ensure compliance with the Information Technology Act, 2000 and associated rules.
Meet the reporting requirements under CERT-In Directions dated 28th April 2022.
Provide clear guidance to all employees, contractors, and third-party service providers.
**Consent Managers:** The Platform is fully interoperable with Consent Managers registered under the DPDP Act. Users may give, manage, or withdraw consent using any such Consent Manager, and the Company will honour such requests in accordance with law.

1.3 Guiding Principles

This Policy is founded upon the seven core principles enshrined in the DPDP Act, 2023:

**Lawfulness and Fairness:** Processing personal data only for lawful purposes in a fair and transparent manner.
**Purpose Limitation:** Collecting and processing data only for specified, clear, and legitimate purposes.
**Data Minimisation:** Collecting only such personal data as is necessary for the specified purpose.
**Accuracy:** Taking reasonable steps to ensure personal data is accurate, complete, and up to date.
**Storage Limitation:** Retaining personal data only for as long as necessary for the specified purpose.
**Security Safeguards:** Implementing reasonable security practices to protect personal data from breaches.
**Accountability:** Taking responsibility for compliance and demonstrating such compliance when required.

2. SCOPE AND APPLICABILITY

2.1 Territorial Scope

This Policy applies to:

All processing of digital personal data within the territory of India, whether collected online or offline and subsequently digitised.
Processing of digital personal data outside India where such processing is in connection with offering goods or services to Data Principals within India.
All operations of the Company's platform accessible to users in India.

2.2 Personal Scope

This Policy is binding upon:

All employees of the Company, whether permanent, contractual, or temporary.
Directors, officers, and management personnel.
Third-party vendors, service providers, and Data Processors engaged by the Company.
Consultants and advisors with access to personal data.
Any other person acting on behalf of or under the authority of the Company.

2.3 Categories of Data Covered

This Policy covers all categories of personal data processed by the Platform, including but not limited to:

Identity information (name, photograph, date of birth, gender)
Contact information (email address, phone number, postal address)
Professional information (education, work experience, skills, certifications)
Account credentials (username, encrypted passwords)
Financial information (bank account details for payroll services, UPI identifiers)
Technical data (IP addresses, device information, browser type, cookies)
Behavioural data (platform usage patterns, job search history, connection requests)
Communication data (messages, posts, comments, endorsements)

3. DEFINITIONS

Unless the context otherwise requires, the following terms shall have the meanings assigned to them below. Terms not defined herein shall carry the meanings ascribed under the DPDP Act, 2023 and the Information Technology Act, 2000.

Personal Data: Means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act, 2023.
Data Principal: Means the individual to whom the personal data relates. In the context of this Platform, Data Principals include job seekers, employers, recruiters, and any other registered users.
Data Fiduciary: Means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. The Company is a Data Fiduciary with respect to the personal data collected through the Platform.
Data Processor: Means any person who processes personal data on behalf of a Data Fiduciary. This includes third-party service providers engaged by the Company.
Personal Data Breach: Means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data, as defined under Section 2(u) of the DPDP Act, 2023.
Significant Data Fiduciary: Means a Data Fiduciary or class of Data Fiduciaries notified by the Central Government based on factors including volume and sensitivity of personal data processed, risk to the rights of Data Principals, potential impact on sovereignty and integrity of India.
CERT-In: Means the Indian Computer Emergency Response Team established under Section 70B of the Information Technology Act, 2000.
Data Protection Board: Means the Data Protection Board of India established under Section 18 of the DPDP Act, 2023.

**Interpretation:** Terms such as _personal data, Data Principal, Data Fiduciary, consent, processing,_ and _Personal Data Breach_ shall have the meanings assigned under the DPDP Act, 2023. Where a term is defined differently in another Platform policy, the definition under the DPDP Act prevails.

4. LEGAL AND REGULATORY FRAMEWORK

This Policy has been framed in compliance with the following laws, rules, regulations, and directions:

4.1 Primary Legislation

Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023)
Digital Personal Data Protection Rules, 2025 (notified on 13th November 2025)
Information Technology Act, 2000 (as amended in 2008)
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

4.2 Regulatory Directions and Guidelines

CERT-In Directions dated 28th April 2022 (under Section 70B (6) of the IT Act)
Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

4.3 Standards and Best Practices

IS/ISO/IEC 27001: Information Security Management Systems
ISO/IEC 27701: Privacy Information Management Systems
OWASP Security Guidelines for Web Applications

4.4 Compliance Timeline

The Company shall ensure compliance with the DPDP Rules, 2025 within the phased implementation timeline:

Immediate effect (November 2025): Data Protection Board establishment and foundational provisions
12 months (November 2026): Consent Manager registration requirements
18 months (May 2027): Full compliance with notice requirements, security protocols, breach notifications, and Data Principal rights

5. DATA SECURITY POLICY

5.1 Obligation to Implement Security Safeguards

Pursuant to Section 8(5) of the DPDP Act, 2023 and Rule 6 of the DPDP Rules, 2025, the Company shall protect all personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breaches.

5.2 Technical Security Measures

5.2.1 Encryption and Data Masking

All personal data at rest shall be encrypted using AES-256 encryption or equivalent.
All personal data in transit shall be protected using TLS or higher encryption protocols.
Sensitive personal data fields shall be masked in logs and displays.
Cryptographic keys shall be managed using Key Management Services (KMS) with regular key rotation.

5.2.2 Access Control

Role-based access control (RBAC) shall be implemented for all systems containing personal data.
Access to personal data shall be granted on a need-to-know basis following the principle of least privilege.
Multi-factor authentication (MFA) shall be mandatory for all administrative access.
User access rights shall be reviewed quarterly and upon role changes or termination.

5.2.3 Logging and Monitoring

Comprehensive access logs shall be maintained for all personal data processing activities.
All ICT system logs shall be maintained for a minimum of 180 days within Indian jurisdiction as per CERT-In Directions.
Processing logs and traffic data shall be retained for a minimum of 1 year for forensic purposes as required under DPDP Rules, 2025.

5.2.4 Data Backup and Business Continuity

Regular automated backups shall be performed daily, with weekly full backups.
Backup data shall be encrypted and stored in geographically separated locations.
Recovery point objective (RPO) shall not exceed 24 hours; recovery time objective (RTO) shall not exceed 4 hours for critical systems.

5.3 Organisational Security Measures

5.3.1 Security Standards

Gulf Return managed by Sheruh shall adopt commercially reasonable security measures consistent with industry-accepted standards and practices as may be applicable to organizations of similar size, scope, and nature.

5.3.2 Employee Training

All employees shall undergo mandatory data protection and security awareness training upon joining.
Annual refresher training shall be conducted for all personnel handling personal data.
Training records shall be maintained for audit purposes.

5.3.3 Third-Party and Vendor Management

All Data Processors shall be bound by written contracts incorporating data protection obligations.
Vendors shall be required to maintain security measures equivalent to or exceeding those of the Company.
Right to audit clauses shall be included in all Data Processing agreements.

6. DATA BREACH POLICY

6.1 Definition of Personal Data Breach

A "Personal Data Breach" includes any of the following incidents that compromise the confidentiality, integrity, or availability of personal data:

Unauthorised access to or acquisition of personal data.
Unauthorised processing, disclosure, or sharing of personal data.
Accidental or unlawful destruction, loss, or alteration of personal data.
Loss of access to personal data due to ransomware, system failure, or other causes.
Any other action compromising the security of personal data.

6.2 Regulatory Notification Requirements

6.2.1 Notification to Data Protection Board (Under DPDP Act)

Pursuant to Section 8(6) of the DPDP Act, 2023 and Rule 7 of the DPDP Rules, 2025:

**Immediate Notification (Without Delay):** Upon becoming aware of any personal data breach, immediately notify the Data Protection Board with a description of the breach including its nature, extent, timing, location, and likely impact.
**Detailed Report (Within 72 Hours):** Submit to the Board an updated description of the breach, facts and circumstances leading to the breach, remedial measures, and confirmation of notifications sent to affected Data Principals.

6.2.2 Notification to CERT-In (Under IT Act)

In compliance with CERT-In Directions dated 28th April 2022: All cyber security incidents shall be reported to CERT-In within 6 hours of noticing such incident. Reports shall be submitted via email (incident@cert-in.org.in), phone (1800-11-4949), or through the CERT-In portal. Supplemental information shall be provided as the investigation progresses.

6.2.3 Notification to Affected Data Principals

The Company shall notify each affected Data Principal without delay with:

Clear and plain language description of the breach.
Categories of personal data affected.
Likely consequences and measures taken by the Company.
Steps the Data Principal can take to protect themselves.
Contact details of the Data Protection Officer.

6.3 Incident Response and Containment

Isolate affected systems to prevent further unauthorised access.
Preserve evidence for forensic investigation.
Conduct thorough forensic analysis to determine root cause.
Implement patches and fixes to address vulnerabilities.
Document lessons learned and update incident response procedures.

7. DATA RETENTION POLICY

7.1 General Principles of Data Retention

Pursuant to Section 8(7) of the DPDP Act, 2023 and Rule 8 of the DPDP Rules, 2025:

Personal data shall be erased when the Data Principal withdraws consent.
Personal data shall be erased as soon as it is reasonable to assume that the specified purpose is no longer being served.
Retention beyond the specified purpose is permitted only where required to comply with applicable law.

7.2 Retention Periods for Social Media Platforms (Third Schedule)

The provisions contained herein shall apply to the Company if and when its social networking platform satisfies the jurisdictional threshold of two crore (20 million) registered users in India, as determined in accordance with applicable regulations.

7.2.1 Three-Year Inactivity Rule

Personal data shall be erased if the Data Principal has not logged into their account, utilised the platform services, or exercised any rights for a continuous period of **three years** from the date of last interaction.

7.2.2 Pre-Erasure Notification

At least **48 hours before** the scheduled erasure, the Company shall notify the Data Principal that their personal data shall be erased unless they log into their account or otherwise initiate contact.

7.3 Minimum Retention Periods

**User Profile Data (Active):** retained while account is active.
**Deactivated Accounts:** archived for **12 months** from deactivation, then deleted unless legal requirements apply.
**Job Applications & Resumes:** retained for **3 years** from date of application unless lawfully required longer or the Data Principal consents to longer retention.
**Processing Logs & Traffic Data / Logs & Metadata:** retained for **24 months** for security, forensic and compliance purposes.
**ICT System Logs:** retained for **180 days** within Indian jurisdiction as per CERT-In Directions.
**Consent Records:** retained for **7 years** from date of consent or withdrawal.

7.4 Secure Erasure Procedures

Automated deletion workflows shall trigger erasure from primary databases.
Data shall be removed from all live systems, including backups within the next backup cycle.
Deletion events shall be logged and auditable.
Third-party Data Processors shall be notified to delete corresponding data.

8. RIGHTS OF DATA PRINCIPALS

The Company shall facilitate the exercise of the following rights by Data Principals under Chapter III of the DPDP Act, 2023:

8.1 Right to Access Information

A summary of the personal data processed, and the processing activities undertaken. The identities of all other Data Fiduciaries and Data Processors with whom their personal data has been shared.

8.2 Right to Correction and Erasure

Request correction of inaccurate or misleading personal data.
Request completion of incomplete personal data.
Request erasure of personal data that is no longer necessary for the specified purpose.

8.3 Right of Grievance Redressal

Data Principals have the right to have readily available means of grievance redressal in respect of any act or omission of the Company regarding the discharge of its obligations under the DPDP Act.

8.4 Right to Nominate

Data Principals have the right to nominate any other individual who shall, in the event of death or incapacity, exercise the rights of the Data Principal on their behalf.

9. GRIEVANCE REDRESSAL MECHANISM

9.1 Data Protection Officer

The Company has appointed a Data Protection Officer (DPO) based in India who shall:

Serve as the point of contact for Data Principals.
Represent the Company before the Data Protection Board.
Oversee compliance with the DPDP Act and this Policy.

9.2 Grievance Redressal Timeline

All grievances shall be acknowledged within 48 hours of receipt.
Simple requests shall be resolved within 15 days.
Complex requests shall be resolved within 30 days.
No grievance shall remain unresolved beyond 90 days.

10. PENALTIES AND CONSEQUENCES

10.1 Regulatory Penalties under DPDP Act

Non-compliance may result in penalties as specified in the Schedule to the Act:

Failure to take reasonable security safeguards: Up to ₹250 Crores.
Failure to notify the Board and Data Principals of a breach: Up to ₹200 Crores.
Non-fulfilment of obligations for children: Up to ₹200 Crores.
Breach of any other provision: Up to ₹50 Crores.

10.2 Penalties under IT Act

Imprisonment and/or fines under Section 70B.
Compensation liability under Section 43A for negligence in implementing reasonable security practices.

11. POLICY REVIEW AND AMENDMENT

11.1 Review Frequency

At least annually by the Data Protection Officer and CISO.
Upon any material change in applicable law or regulations.
Following any significant personal data breach.
Upon direction from the Data Protection Board.

11.2 Amendment Procedure

Proposed amendments shall be reviewed by Legal and Compliance team.
Material amendments shall be approved by the Board of Directors.
Version history shall be maintained.

ANNEXURES

ANNEXURE A: DATA BREACH INCIDENT REPORT FORM

**SECTION A: INCIDENT IDENTIFICATION** • Incident Reference Number • Date & Time of Detection • Estimated Date & Time of Breach • Location of Occurrence • Reported By **SECTION B: BREACH DESCRIPTION** • Nature of Breach: ☐ Unauthorized Access ☐ Data Loss ☐ Ransomware ☐ Other • Categories of Data Affected • Approx. Number of Data Principals • Likely Impact Assessment

ANNEXURE B: DATA RETENTION SCHEDULE

**Data Retention Schedule** • **User Profile Data (Active):** Duration + 3 years inactivity | DPDP Rules Third Schedule | 48-hour pre-erasure notice • **Consent Records:** 7 years | DPDP Rules, 2025 | Consent Manager • **Processing Logs & Traffic Data:** Minimum 1 year | DPDP Rules Rule 8 | Forensic purposes • **ICT System Logs:** 180 days (in India) | CERT-In Directions | Within Indian jurisdiction • **Financial Transaction Records:** 8 years | Income Tax, Companies Act | Tax compliance • **Job Applications & Resumes:** 2 years from application | Purpose limitation | Unless consent for longer • **Communication Data:** Duration + 3 years | DPDP Rules | Social media provision • **Breach Records:** 7 years | Best Practice / Audit | Compliance records

ANNEXURE C: CONTACT DETAILS

**Data Protection Officer** **Name:** Mohd Raavi **Designation:** Data Protection Officer **Email:** Support@gulfreturn.com **Phone:** [-] **Address:** [-] **Chief Information Security Officer** **Name:** Sajid A **Designation:** Chief Information Security Officer **Email:** [.] **CERT-In (Indian Computer Emergency Response Team)** **Email:** incident@cert-in.org.in **Phone:** 1800-11-4949 (Toll Free) **Fax:** 1800-11-6969 **Website:** https://www.cert-in.org.in