At MORSEL Research and Development Pvt Ltd (“we,” “our,” or “us”), safeguarding our clients’ and participants’ data is paramount. We are committed to protecting all data collected, stored, and processed from unauthorized access, disclosure, alteration, and destruction. This policy sets out our approach to maintaining confidentiality, integrity, and availability of data through robust security practices.

1. Scope

This policy applies to all employees, contractors, and third-party service providers who handle data on behalf of MORSEL Research and Development Pvt Ltd. It covers all data collected, stored, processed, or transmitted by the company – whether in electronic or physical form – and applies across all operational platforms.

2. Data Collection and Storage

Data Collection:
Our data collection is conducted using industry-leading, secure platforms including SurveyCTO, KoBoToolbox, and ODK. These platforms are chosen for their adherence to robust security standards, including end-to-end encryption, secure authentication protocols, and data validation mechanisms. They ensure that data is captured accurately and transmitted securely over encrypted channels.

Data Storage:
For storage and ongoing management, we rely on cloud-based solutions such as Gmail, Google Drive, and Google Sheets. These platforms incorporate advanced security features, including encryption at rest and in transit, multi-factor authentication, and regular security audits. Our configuration follows the latest industry best practices to ensure that data remains confidential and is only accessible to authorized users.

3. Access Control

User Access:
Access to all data is based on the principle of least privilege. Only personnel whose roles require access are granted appropriate permissions. We conduct regular reviews of user access rights to ensure compliance with our access control protocols.

Authentication:
Strong authentication methods, including multi-factor authentication (MFA), are employed to verify user identities before granting access to sensitive data.

Audit Logs:
We maintain comprehensive audit logs to monitor all data access, tracking both successful and failed attempts. These logs are reviewed regularly to detect and respond to any irregular activities.

4. Data Transmission

Encryption:
All data transmitted between our systems and external platforms is encrypted using industry-standard protocols (e.g., SSL/TLS). This protects data from interception or unauthorized access during transfer.

Secure Channels:
Data is transmitted exclusively through secure channels, such as Virtual Private Networks (VPNs) or encrypted email services, ensuring confidentiality is maintained at all times.

5. Data Integrity

Data Validation:
We implement rigorous data validation processes to ensure accuracy and consistency. This includes automated input validation, error checking, and regular verification procedures.

Backups:
Regular backups of critical data are maintained. These backups are stored securely, tested periodically for integrity, and are essential for rapid recovery in the event of data loss or corruption.

6. Data Retention and Disposal

Retention Policy:
Data is retained only for as long as necessary to fulfill its collection purpose or to meet legal and contractual obligations. Once data is no longer required, it is either securely deleted or anonymized.

Disposal:
When disposing of data, we use secure methods that render the information unrecoverable. This includes both the physical destruction of paper records and the secure digital wiping of electronic data.

7. Third-Party Service Providers

Vendor Assessment:
We perform due diligence on all third-party providers, ensuring they adhere to our stringent data security standards. Only vendors that demonstrate compliance with our security practices are engaged.

Data Sharing Agreements:
Data sharing with third parties is governed by detailed data processing agreements (DPAs) that specify the security measures required and ensure ongoing compliance with our data security protocols.

8. Employee Training and Awareness

Security Training:
All employees and contractors undergo regular, comprehensive training on data security best practices. This training covers topics such as phishing awareness, secure password management, and proper data handling procedures.

Confidentiality Agreements:
Personnel with access to sensitive data must sign confidentiality agreements, underscoring their responsibilities in protecting client and participant information.

9. Incident Response

Incident Reporting:
Any suspected data security incidents or breaches must be reported immediately to the designated incident response team. We have a well-defined incident response plan to manage and mitigate risks effectively.

Response and Mitigation:
Upon detection of a breach, immediate actions are taken to contain the incident, assess its impact, and implement measures to prevent recurrence. Affected parties are notified as required by law and our internal policies.

10. Compliance and Monitoring

Regulatory Compliance:
Our practices comply with all relevant data protection regulations, including the General Data Protection Regulation (GDPR) and applicable local laws.

Monitoring:
We continuously monitor our systems for vulnerabilities and security threats through regular audits and assessments, ensuring prompt identification and remediation of potential risks.

11. Policy Review and Updates

Review Process:
This Data Security Policy is reviewed on a regular basis to incorporate changes in technology, regulatory requirements, and emerging threats. Stakeholders are informed of any changes promptly.

Ongoing Updates:
We reserve the right to update this policy as needed to reflect best practices and evolving security standards. The most current version is always made available to all stakeholders.