MFEcosystem – Securing Your Business & Your Clients

Effective Date: 04-Jun-2025
Last Updated: 14-Jun-2025

MFEcosystem (“we,” “our,” or “us”) is committed to safeguarding all personal, financial, and transactional data shared by our users. This Data Security Policy outlines the protocols and standards we use to ensure the confidentiality, integrity, and availability of data on our platform.

We adhere to leading information security practices aligned with global standards such as ISO 27001, OWASP, and applicable Indian regulations (e.g., IT Act 2000, SEBI/AMFI guidelines).

1. Scope of Policy

This policy applies to:

• All data collected, processed, and stored viawww.mfecosystem.com and our mobile applications.
  
  
• User data from registered Mutual Fund Distributors (MFDs).
  
  
• Client data uploaded or managed by MFDs.
  
  
• Internal staff, contractors, and third-party service providers with access to data.
  
  

2. Data Classification

We classify data into three main categories:

a. Public Data

Information available on our public website, such as blog posts and marketing materials.

b. User Data (Confidential)

Includes MFD details: name, contact, ARN, GST, KYC data, IP logs.

c. Client Data (Highly Confidential)

Includes client names, investment details, portfolios, nominee info, transaction history, and KYC documents.

3. Security Infrastructure

a. Encryption

• Data in Transit: All communications are secured via TLS/SSL 256-bit encryption.
  
  
• Data at Rest: Sensitive data is stored in encrypted formats using AES-256 or equivalent encryption standards.
  
  

b. Authentication & Access Control

• Two-Factor Authentication (2FA) is enabled for user and admin logins.
  
  
• Role-based access controls (RBAC) ensure users see only data relevant to their permissions.
  
  
• Admin and support staff have restricted, logged access to back-end systems.
  
  

c. Server & Hosting Environment

• Hosted on secure cloud infrastructure with ISO 27001 and SOC 2-compliant providers.
  
  
• Real-time threat monitoring, intrusion detection, and firewall protection.
  
  
• Daily backups stored securely and rotated regularly.
  
  

4. Data Handling & Storage

• All client data is stored in encrypted databases within India (to comply with local data residency requirements).
  
  
• File uploads (e.g., KYC documents) are virus-scanned and stored securely.
  
  
• Data exports (e.g., reports) are protected by access authentication and audit logs.
  
  

5. Third-Party Services

We integrate with third parties (e.g., BSE, NSE, RTA, SMS/email services) only after due diligence.

• All vendors sign confidentiality agreements and comply with applicable security standards.
  
  
• Periodic audits and access reviews are performed on external integrations.
  
  

6. Security Best Practices for Users

We strongly recommend that MFDs:

• Use strong, unique passwords.
  
  
• Enable 2FA wherever available.
  
  
• Log out from all sessions when using shared devices.
  
  
• Immediately report any suspicious account activity.
  
  

7. Incident Response Plan

In case of any breach or incident:

• Affected users will be notified within 72 hours of discovery.
  
  
• Investigation is initiated within 24 hours to identify root cause and mitigate further risk.
  
  
• Logs and impact analysis are maintained for internal audit and regulatory review.
  
  

8. Employee Access & Training

• Only authorized employees are granted access to production environments and client data.
  
  
• All employees undergo background checks, NDA signing, and data security training.
  
  
• Access rights are reviewed quarterly and revoked immediately upon termination.
  
  

9. Regulatory Compliance

We comply with:

• The Information Technology Act, 2000 (India)
  
  
• SEBI guidelines for intermediary data protection
  
  
• AMFI standards on data handling for ARN holders
  
  
• Global best practices (ISO/IEC 27001, GDPR principles where applicable)
  
  

10. Policy Review & Updates

• This Data Security Policy is reviewed annually and updated as needed to reflect evolving risks, regulations, and technology.
  
  
• Users will be notified of material changes via email or platform notifications.
  
  

11. Contact for Security Concerns

To report a security vulnerability or raise concerns, please contact:

Security Team – MFEcosystem
Email: security@mfecosystem.com
Phone: +91-86022-79090
Website: www.mfecosystem.com