Security Policy

Last Updated: 29/05/2026

OJOO SOFTWARE SERVICES PRIVATE LIMITED ("Ojoo", "Company", "we", "our", or "us") is committed to maintaining appropriate technical, organizational, administrative, and operational safeguards designed to protect the confidentiality, integrity, availability, and security of information processed in connection with our products and services.

This Security Policy describes the information security principles, practices, responsibilities, and controls implemented by Ojoo to support the protection of customer information, business information, systems, software products, and related technology environments.

This Security Policy applies to Ojoo's software products, enterprise applications, ERP solutions, workflow automation platforms, low-code and no-code solutions, APIs, integrations, support services, internal systems, personnel, contractors, and other resources involved in the delivery and support of the Services.

The security controls described in this Policy are designed to reduce risk and support secure operations. However, no security program, technology platform, software application, network, hosting environment, or method of electronic transmission can be guaranteed to be completely secure.

For Customer-hosted or on-premise deployments, Customers remain responsible for the security, operation, maintenance, monitoring, backup, disaster recovery, access management, and protection of their own infrastructure and environments. Ojoo's security responsibilities apply only to systems, software, services, and activities within Ojoo's reasonable control.

This Security Policy should be read together with the Terms of Service, Privacy Policy, Data Processing Agreement (DPA), Service Level Agreement (SLA), and other applicable agreements governing the use of the Services.

1. Purpose

The purpose of this Security Policy is to establish the information security principles, objectives, responsibilities, and practices adopted by Ojoo to help protect information assets, software applications, systems, services, and business operations from unauthorized access, disclosure, alteration, destruction, loss, or misuse.

This Policy is intended to support the confidentiality, integrity, availability, and resilience of information processed by Ojoo and to promote a consistent approach to information security across the organization.

The objectives of this Policy include:

  • Protecting Customer Data, business information, and technology assets.
  • Supporting the secure development, deployment, operation, and maintenance of software products and services.
  • Reducing security risks through reasonable technical, organizational, and administrative safeguards.
  • Promoting security awareness and responsible use of information systems.
  • Supporting business continuity, incident response, and operational resilience.
  • Protecting the confidentiality, integrity, and availability of information.
  • Supporting compliance with applicable legal, regulatory, contractual, and business requirements.
  • Providing a framework for managing information security responsibilities and practices.

This Policy serves as a foundation for Ojoo's information security program and may be supplemented by additional policies, procedures, standards, guidelines, operational practices, contractual requirements, and security controls implemented from time to time.

2. Scope

This Security Policy applies to all information assets, systems, applications, software products, services, personnel, contractors, business processes, and technology environments that are owned, operated, managed, supported, or controlled by Ojoo in connection with the delivery of its products and services.

The scope of this Policy includes:

  • Enterprise software applications and platforms developed or provided by Ojoo.
  • ERP solutions, workflow automation systems, low-code and no-code platforms.
  • Web applications, mobile applications, APIs, integrations, and related services.
  • Customer support, maintenance, implementation, and operational activities.
  • Internal business systems, development environments, and technology resources.
  • Information processed, stored, transmitted, or managed by Ojoo.
  • Employees, contractors, consultants, and authorized personnel acting on behalf of Ojoo.
  • Third-party service providers and vendors to the extent applicable to services provided to Ojoo.
2.1 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, this Policy applies only to software products, support services, maintenance activities, and systems that are within Ojoo's reasonable control.

Customers remain responsible for securing, operating, maintaining, monitoring, backing up, recovering, and protecting their own servers, databases, operating systems, hosting environments, networks, endpoints, infrastructure, and related technology resources.

2.2 Third-Party Services

This Policy may apply to interactions with third-party vendors, service providers, infrastructure providers, and technology partners engaged by Ojoo; however, Ojoo does not control and cannot guarantee the security practices of independent third parties.

2.3 Exclusions

Unless otherwise expressly agreed in writing, this Policy does not apply to:

  • Customer-managed infrastructure and hosting environments.
  • Third-party systems not controlled by Ojoo.
  • Customer-developed modifications, customizations, or integrations not maintained by Ojoo.
  • Personal devices, systems, or environments outside Ojoo's control.
  • Services, products, or technologies not owned, operated, or supported by Ojoo.

The requirements and controls described in this Policy shall be implemented to the extent reasonably appropriate based on business needs, operational requirements, technical feasibility, contractual obligations, and applicable legal requirements.

3. Information Security Principles

Ojoo is committed to maintaining information security practices designed to protect information assets, systems, applications, services, and business operations from unauthorized access, disclosure, alteration, destruction, loss, misuse, or disruption.

The following principles form the foundation of Ojoo's information security program and guide the implementation of security controls, operational practices, and risk management activities.

3.1 Confidentiality

Ojoo seeks to protect information from unauthorized access, disclosure, or misuse by implementing appropriate access controls, security measures, confidentiality obligations, and operational safeguards.

Access to information should be limited to authorized individuals who require such access for legitimate business, operational, support, security, legal, or compliance purposes.

3.2 Integrity

Ojoo seeks to maintain the accuracy, consistency, reliability, and completeness of information through appropriate controls, operational processes, system safeguards, monitoring activities, and change management practices.

Reasonable measures are implemented to reduce the risk of unauthorized modification, corruption, destruction, or manipulation of information and systems.

3.3 Availability

Ojoo seeks to support the availability and resilience of systems, applications, and services through operational practices, maintenance activities, backup procedures, recovery planning, monitoring, and business continuity measures where appropriate.

Availability objectives may vary depending on the nature of the service, deployment model, operational requirements, and contractual commitments.

3.4 Least Privilege

Access rights should be granted based on business necessity and the principle of least privilege. Users should be provided only the level of access reasonably necessary to perform their authorized duties and responsibilities.

3.5 Defense in Depth

Ojoo seeks to utilize multiple layers of administrative, technical, and operational safeguards to reduce security risks and improve the overall security posture of systems and services.

3.6 Risk-Based Security

Security measures are implemented based on reasonable assessments of business risks, operational requirements, technical feasibility, resource availability, contractual obligations, and applicable legal requirements.

3.7 Secure by Design

Ojoo seeks to incorporate security considerations throughout the planning, development, deployment, maintenance, and operation of its software products and services where reasonably appropriate.

3.8 Accountability

Personnel, contractors, and authorized users are expected to act responsibly and comply with applicable security requirements, policies, procedures, and operational practices relevant to their roles and responsibilities.

3.9 Continuous Improvement

Ojoo seeks to periodically review, evaluate, improve, and update its security practices, controls, procedures, and operational measures to address evolving threats, technological developments, business requirements, and legal obligations.

3.10 Customer Responsibility

For Customer-hosted or on-premise deployments, Customers remain responsible for implementing and maintaining appropriate security controls within their own environments, including servers, databases, operating systems, networks, backup systems, access controls, monitoring systems, endpoint protection, and disaster recovery capabilities.

Ojoo's security responsibilities apply only to systems, software, services, and operational activities within Ojoo's reasonable control.

4. Roles and Responsibilities

Information security is a shared responsibility that requires the participation and cooperation of management, personnel, contractors, service providers, and Customers. Ojoo seeks to assign and maintain appropriate security responsibilities to support the protection of information assets, systems, applications, and services.

4.1 Management Responsibilities

Management is responsible for supporting information security initiatives, promoting security awareness, allocating reasonable resources, establishing security expectations, and overseeing the implementation of appropriate security practices within the organization.

4.2 Personnel Responsibilities

Employees, contractors, consultants, and authorized personnel are responsible for complying with applicable security policies, procedures, operational practices, confidentiality obligations, and acceptable use requirements relevant to their roles.

Personnel are expected to:

  • Protect confidential and sensitive information.
  • Use systems and resources responsibly.
  • Follow security procedures and operational requirements.
  • Report suspected security incidents or vulnerabilities.
  • Maintain appropriate credential security.
  • Comply with applicable legal, contractual, and regulatory obligations.
4.3 System and Application Administrators

Personnel responsible for system administration, application management, support operations, or technical maintenance are expected to implement and maintain appropriate security controls within the scope of their responsibilities.

Such responsibilities may include:

  • User access management.
  • Configuration management.
  • System monitoring and maintenance.
  • Security updates and patch management.
  • Backup and recovery activities.
  • Incident response support.
4.4 Development and Technical Teams

Development, engineering, implementation, and technical teams should consider security requirements during the design, development, testing, deployment, maintenance, and support of software products and services.

Reasonable efforts should be made to identify, address, and remediate security issues, software defects, configuration weaknesses, and operational risks where appropriate.

4.5 Vendor and Third-Party Responsibilities

Third-party service providers, contractors, vendors, and technology partners engaged by Ojoo may be required to comply with applicable contractual, confidentiality, privacy, and security obligations relevant to the services they provide.

4.6 Customer Responsibilities

Customers remain responsible for the security, operation, maintenance, monitoring, backup, recovery, access management, network security, and protection of systems, infrastructure, applications, databases, and information under their control.

For Customer-hosted or on-premise deployments, Customers are solely responsible for securing hosting environments, servers, operating systems, databases, backup systems, disaster recovery capabilities, user devices, network infrastructure, and related technology resources.

4.7 Security Incident Reporting

All personnel and authorized users should promptly report suspected security incidents, unauthorized access attempts, policy violations, security vulnerabilities, data exposure events, or other information security concerns through appropriate reporting channels.

4.8 Shared Responsibility Model

Information security responsibilities may vary depending on the deployment model, service offering, infrastructure arrangement, and contractual commitments.

Where Services are deployed within Customer-managed environments, security responsibilities are shared between Ojoo and the Customer. Ojoo is generally responsible for the security of software products and support services within its control, while Customers remain responsible for the security of their infrastructure, environments, data management practices, and operational controls.

4.9 Accountability

Individuals with access to information assets, systems, applications, or services are expected to act responsibly and may be held accountable for violations of applicable security requirements, policies, procedures, contractual obligations, or acceptable use standards.

5. Access Control and Authentication

Ojoo seeks to implement reasonable access control and authentication measures designed to protect information assets, systems, applications, services, and Customer Data from unauthorized access, use, disclosure, modification, or destruction.

Access to systems, applications, information, and resources should be limited to authorized individuals who require such access for legitimate business, operational, support, security, legal, or compliance purposes.

5.1 Access Authorization

Access rights should be granted based on business requirements, job responsibilities, operational needs, and the principle of least privilege.

Users should receive only the minimum level of access reasonably necessary to perform their authorized duties and responsibilities.

5.2 User Account Management

Ojoo may implement procedures for creating, modifying, reviewing, suspending, and removing user accounts to support appropriate access management and security controls.

Access privileges may be updated, restricted, or revoked when roles, responsibilities, employment status, contractual relationships, or business requirements change.

5.3 Authentication Controls

Reasonable authentication measures may be implemented to verify the identity of users accessing systems, applications, and services.

Authentication mechanisms may include:

  • Usernames and passwords.
  • Multi-factor authentication where available.
  • Single Sign-On (SSO) integrations where supported.
  • Identity verification procedures.
  • Session management controls.
5.4 Password Security

Users are responsible for maintaining the confidentiality of their authentication credentials and preventing unauthorized access to their accounts.

Users should:

  • Use strong and unique passwords.
  • Protect credentials from unauthorized disclosure.
  • Avoid sharing accounts or passwords.
  • Promptly update compromised credentials.
  • Follow applicable password security requirements.
5.5 Privileged Access

Administrative, privileged, or elevated access rights should be restricted to authorized personnel who require such access for legitimate operational, support, security, maintenance, or management purposes.

Privileged access may be reviewed periodically and adjusted as necessary to support security objectives.

5.6 Access Reviews

Ojoo may periodically review user access rights, administrative privileges, and authorization levels to help ensure that access remains appropriate for current business and operational needs.

5.7 Session Management

Systems and applications may implement session management controls designed to reduce the risk of unauthorized access resulting from inactive, abandoned, or compromised sessions.

Such controls may include session expiration, inactivity timeouts, re-authentication requirements, or other security measures where appropriate.

5.8 Customer Responsibilities

Customers remain responsible for managing user accounts, access permissions, authentication controls, credential security, user activities, and account administration within Customer-managed environments and deployments.

For Customer-hosted or on-premise deployments, Customers are solely responsible for implementing and maintaining appropriate access controls, authentication mechanisms, identity management systems, and security measures within their infrastructure.

5.9 Unauthorized Access Reporting

Users and Customers should promptly report suspected unauthorized access attempts, compromised credentials, account misuse, privilege abuse, authentication failures, or other access control concerns to Ojoo through appropriate reporting channels.

5.10 Shared Responsibility

Access control and authentication responsibilities may vary depending on the deployment model, infrastructure environment, service offering, and contractual arrangements. Responsibilities relating to Customer-managed systems, devices, networks, and infrastructure remain with the Customer unless otherwise agreed in writing.

6. Data Protection

Ojoo is committed to implementing reasonable technical, organizational, administrative, and operational measures designed to protect Customer Data, business information, and other information assets from unauthorized access, disclosure, alteration, destruction, loss, misuse, or accidental exposure.

Data protection measures are designed to support the confidentiality, integrity, availability, and resilience of information processed in connection with the Services, taking into account business requirements, operational needs, legal obligations, technical feasibility, and risk considerations.

6.1 Data Classification

Information may be classified and handled according to its sensitivity, confidentiality requirements, business value, operational importance, legal obligations, and regulatory requirements.

Appropriate safeguards should be applied based on the nature and sensitivity of the information being processed.

6.2 Data Collection and Processing

Ojoo seeks to collect, access, process, store, and use information only to the extent reasonably necessary to provide Services, fulfill contractual obligations, support business operations, comply with legal requirements, and maintain security and operational integrity.

6.3 Data Access Controls

Access to Customer Data and other sensitive information should be restricted to authorized individuals who require access for legitimate business, operational, support, security, legal, or compliance purposes.

Access rights may be granted, modified, reviewed, and revoked based on business requirements, job responsibilities, and operational needs.

6.4 Data Storage and Retention

Information may be retained only for as long as reasonably necessary to support the Services, satisfy contractual obligations, comply with legal requirements, support security activities, resolve disputes, maintain business continuity, and fulfill legitimate business purposes.

Retention periods may vary depending on the nature of the data, applicable agreements, operational requirements, and legal obligations.

6.5 Data Transmission

Ojoo may implement reasonable safeguards designed to protect information during transmission between systems, applications, services, devices, and authorized users.

Data transmission security measures may vary depending on technical requirements, infrastructure arrangements, deployment models, and service offerings.

6.6 Data Backup and Recovery

Backup, recovery, and disaster recovery responsibilities may vary depending on the deployment model and applicable agreements.

For Customer-hosted or on-premise deployments, Customers remain responsible for implementing and maintaining appropriate backup, recovery, business continuity, and disaster recovery procedures for their environments and Customer Data.

6.7 Data Deletion and Disposal

When information is no longer required for operational, contractual, legal, regulatory, or business purposes, Ojoo may take reasonable steps to delete, anonymize, archive, dispose of, or otherwise manage such information in accordance with applicable retention practices and requirements.

6.8 Privacy and Confidentiality

Ojoo seeks to protect Personal Data and confidential information in accordance with applicable agreements, privacy commitments, legal requirements, and operational practices.

Personnel with access to sensitive information may be subject to confidentiality obligations and appropriate access restrictions.

6.9 Customer Responsibilities

Customers remain responsible for the accuracy, legality, quality, ownership, maintenance, protection, retention, backup, and management of Customer Data processed through the Services.

For Customer-hosted or on-premise deployments, Customers are solely responsible for securing databases, file systems, storage platforms, backup repositories, infrastructure components, and other technology resources under their control.

6.10 No Absolute Security Guarantee

While Ojoo implements reasonable safeguards designed to protect information, no security program, software application, network, cloud service, hosting environment, storage platform, or method of electronic transmission can be guaranteed to be completely secure.

Accordingly, Ojoo does not guarantee absolute protection against all security threats, cyberattacks, unauthorized access attempts, data loss events, or other information security risks.

7. System and Network Security

Ojoo seeks to implement reasonable technical, administrative, and operational safeguards designed to protect systems, applications, networks, infrastructure, and information assets from unauthorized access, misuse, disruption, alteration, destruction, or other security threats.

System and network security measures are intended to support the confidentiality, integrity, availability, resilience, and security of the Services and related business operations.

7.1 Secure System Administration

Systems, applications, and technology resources under Ojoo's control should be configured, maintained, monitored, and managed in a manner designed to support secure operations and reduce security risks.

Reasonable efforts may be taken to maintain appropriate security configurations, operational controls, and system management procedures.

7.2 Network Protection

Ojoo may implement network security measures designed to help protect systems, applications, and services from unauthorized access, malicious activity, service disruption, or other network-related security risks.

Such measures may include network segmentation, traffic controls, firewall protections, access restrictions, monitoring activities, or other appropriate safeguards where applicable.

7.3 Vulnerability Management

Ojoo may periodically identify, evaluate, prioritize, and address security vulnerabilities affecting systems, applications, services, or operational environments based on risk considerations, business requirements, technical feasibility, and available resources.

7.4 Security Monitoring

Reasonable monitoring activities may be performed to support the detection, investigation, analysis, and response to operational issues, security events, unauthorized activities, or potential security threats affecting systems and services.

7.5 Software Updates and Patch Management

Ojoo may implement processes designed to apply software updates, security patches, bug fixes, configuration changes, and maintenance activities intended to reduce operational and security risks.

The timing and implementation of updates may vary depending on the nature of the issue, operational requirements, testing requirements, and deployment model.

7.6 Logging and Audit Trails

Systems and applications may generate logs, audit records, diagnostic information, access records, operational data, and security-related events to support troubleshooting, monitoring, security management, compliance activities, and operational oversight.

7.7 Malware and Threat Protection

Ojoo may implement reasonable measures designed to reduce risks associated with malware, malicious software, unauthorized activities, security threats, and other harmful activities affecting systems and services.

Such measures may include monitoring activities, security controls, software protections, operational safeguards, or other reasonable security practices where appropriate.

7.8 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain solely responsible for the security, maintenance, monitoring, configuration, protection, patching, and operation of their servers, networks, operating systems, databases, infrastructure components, and hosting environments.

Ojoo's responsibilities generally apply only to software products, support activities, and systems within Ojoo's reasonable control.

7.9 Third-Party Services and Infrastructure

Where third-party infrastructure providers, hosting providers, communication providers, integration services, or technology partners are utilized, Ojoo may take reasonable steps to evaluate and manage associated risks; however, Ojoo does not control and cannot guarantee the security practices, availability, or performance of independent third-party services.

7.10 Security Testing and Improvements

Ojoo may periodically review, assess, improve, and enhance system and network security practices to address evolving threats, technology changes, operational requirements, legal obligations, and business needs.

7.11 No Absolute Security Guarantee

No network, system, application, hosting environment, cloud service, or technology platform can be guaranteed to be completely secure. While Ojoo seeks to implement reasonable security safeguards, Ojoo does not guarantee protection against all cybersecurity threats, unauthorized access attempts, service disruptions, vulnerabilities, or security incidents.

8. Secure Development and Change Management

Ojoo seeks to incorporate appropriate security considerations throughout the design, development, testing, deployment, maintenance, and operation of its software products and services. Secure development and change management practices are intended to support the confidentiality, integrity, availability, reliability, and security of systems, applications, and information assets.

8.1 Secure Development Practices

Security considerations may be incorporated into software development, configuration, deployment, maintenance, and operational activities where reasonably appropriate.

Development teams are encouraged to follow secure coding practices, quality assurance procedures, testing processes, and operational guidelines designed to reduce security risks and software defects.

8.2 Development Lifecycle

Software products and services may undergo planning, development, testing, validation, deployment, maintenance, and review activities designed to support functionality, reliability, performance, and security objectives.

The specific development methodology, processes, tools, and controls may vary depending on project requirements, business needs, service offerings, and operational considerations.

8.3 Change Management

Changes to systems, applications, configurations, infrastructure, services, integrations, workflows, or operational processes should be reviewed, evaluated, tested, approved, and implemented through reasonable change management procedures where appropriate.

Change management activities are intended to reduce operational disruptions, security risks, compatibility issues, and unintended consequences arising from modifications to systems or services.

8.4 Testing and Validation

Reasonable testing, validation, quality assurance, and review activities may be performed before deploying significant changes, updates, enhancements, patches, bug fixes, configurations, or new features into production environments.

Testing approaches may vary depending on the nature, complexity, risk level, operational impact, and business requirements of the change.

8.5 Security Updates and Patches

Ojoo may implement software updates, security patches, bug fixes, maintenance releases, configuration changes, and corrective actions designed to address identified issues, improve functionality, enhance security, and support operational stability.

The timing, prioritization, and deployment of updates may depend on risk assessments, technical feasibility, operational requirements, testing outcomes, customer environments, and business priorities.

8.6 Version Control and Change Tracking

Ojoo may maintain appropriate records, version control practices, documentation, change logs, deployment records, or other mechanisms designed to support accountability, traceability, operational oversight, and change tracking.

8.7 Emergency Changes

Emergency changes may be implemented where reasonably necessary to address critical defects, security vulnerabilities, service interruptions, operational incidents, legal requirements, or other urgent business needs.

Where practical, such changes may be reviewed, documented, tested, or validated after implementation to support operational integrity and continuous improvement.

8.8 Third-Party Components

Ojoo may utilize third-party software components, libraries, frameworks, tools, integrations, APIs, open-source software, or technology services in connection with the development and operation of its products and services.

Reasonable efforts may be taken to evaluate, manage, maintain, and update such components based on business needs, operational requirements, security considerations, and available resources.

8.9 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain responsible for implementing approved updates, patches, configurations, infrastructure changes, operating system updates, database maintenance, and other changes within their own environments unless otherwise agreed in writing.

Ojoo shall not be responsible for issues arising from a Customer's failure to implement recommended updates, security patches, bug fixes, maintenance releases, or configuration changes.

8.10 Continuous Improvement

Ojoo may periodically review, assess, refine, and improve its development practices, change management procedures, testing processes, deployment methods, and security measures to address evolving threats, technology changes, operational requirements, customer needs, and business objectives.

8.11 No Guarantee of Error-Free Software

Despite reasonable development, testing, review, and quality assurance efforts, software products and services may contain defects, vulnerabilities, errors, compatibility issues, or operational limitations. Ojoo does not guarantee that software will be completely error-free, uninterrupted, or free from all security risks.

9. Backup and Recovery

Ojoo recognizes the importance of data protection, business continuity, operational resilience, and recovery planning. Backup and recovery measures are intended to support the availability, restoration, and continuity of systems, applications, services, and information assets in the event of operational disruptions, data loss, system failures, security incidents, or other adverse events.

9.1 Backup Responsibilities

Backup responsibilities may vary depending on the deployment model, hosting arrangement, service offering, and contractual commitments applicable to the Customer.

For Customer-hosted or on-premise deployments, Customers remain solely responsible for implementing, managing, monitoring, testing, and maintaining backup procedures for Customer Data, databases, servers, applications, configurations, storage systems, and related infrastructure components.

9.2 Recovery Planning

Ojoo may maintain reasonable recovery procedures and operational practices designed to support restoration efforts following system failures, software issues, security incidents, operational disruptions, or other events affecting services under Ojoo's control.

Recovery procedures may vary depending on the nature of the service, deployment model, operational requirements, technical constraints, and business priorities.

9.3 Customer Backup Practices

Customers should implement backup and recovery practices appropriate to their business requirements, operational risks, regulatory obligations, and continuity objectives.

Recommended practices may include:

  • Regular data backups.
  • Database backup procedures.
  • Backup verification and monitoring.
  • Offsite or secondary backup storage.
  • Recovery testing and validation.
  • Business continuity planning.
  • Disaster recovery planning.
9.4 Restoration Activities

Where backup data is available and recovery efforts are undertaken, restoration activities may include recovery of applications, databases, configurations, files, operational records, or other information necessary to support service continuity.

The success, completeness, timing, and outcome of restoration activities may depend on the availability, quality, integrity, age, and condition of backup data and supporting systems.

9.5 Customer-Hosted Environments

For Customer-managed infrastructure, Ojoo does not control Customer backup systems, storage environments, disaster recovery platforms, retention practices, recovery procedures, or business continuity arrangements.

Accordingly, Customers remain responsible for ensuring that adequate backup and recovery measures are implemented and maintained within their own environments.

9.6 Data Retention and Recovery

Backup retention periods, archival practices, restoration capabilities, and recovery procedures may vary depending on business requirements, operational considerations, technical limitations, contractual commitments, and applicable legal obligations.

9.7 Recovery Limitations

Ojoo does not guarantee the successful recovery of all information, systems, services, configurations, records, or Customer Data in every circumstance.

Recovery efforts may be affected by data corruption, hardware failures, infrastructure issues, security incidents, customer actions, third-party services, operational limitations, or other circumstances beyond Ojoo's reasonable control.

9.8 Customer Responsibilities

Customers are responsible for maintaining copies of critical information, records, reports, configurations, and business data necessary for their operations and should not rely exclusively on the Services as their sole backup, archive, recovery, or business continuity solution.

9.9 Continuous Improvement

Ojoo may periodically review, assess, update, and improve backup, recovery, restoration, and continuity practices to address evolving business needs, operational requirements, technological changes, security considerations, and legal obligations.

9.10 No Guaranteed Recovery Objectives

Unless expressly agreed in a separate written agreement, Ojoo does not guarantee specific recovery point objectives (RPOs), recovery time objectives (RTOs), restoration timelines, backup frequencies, retention periods, or recovery outcomes.

10. Security Incident Management

Ojoo seeks to maintain reasonable procedures designed to identify, assess, investigate, manage, contain, mitigate, document, and respond to Security Incidents that may affect information assets, systems, applications, services, business operations, or Customer Data within Ojoo's reasonable control.

Security Incident Management activities are intended to support the timely detection, analysis, response, recovery, and continuous improvement of security practices while minimizing operational, business, and security impacts.

10.1 Definition of Security Incident

For purposes of this Policy, a "Security Incident" refers to a suspected or confirmed event that may result in unauthorized access, disclosure, alteration, destruction, loss, misuse, compromise, or disruption of information assets, systems, applications, services, or Customer Data.

10.2 Incident Identification and Reporting

Employees, contractors, service providers, Customers, and authorized users are encouraged to promptly report suspected Security Incidents, vulnerabilities, unauthorized access attempts, malware activity, policy violations, suspicious behavior, or other security concerns through appropriate reporting channels.

Reported incidents may be reviewed, evaluated, prioritized, and investigated based on their nature, severity, operational impact, business risk, and potential security implications.

10.3 Incident Assessment and Investigation

Ojoo may undertake reasonable efforts to assess, investigate, analyze, and validate suspected Security Incidents to determine their scope, impact, root causes, affected systems, affected data, and appropriate response actions.

Investigation activities may include system reviews, log analysis, diagnostic activities, technical assessments, evidence collection, or other appropriate measures.

10.4 Incident Containment and Mitigation

Where appropriate, Ojoo may implement reasonable containment, remediation, corrective, recovery, or mitigation measures designed to reduce the impact of Security Incidents and support the restoration of affected systems or services.

Response actions may vary depending on the nature of the incident, operational requirements, technical constraints, legal obligations, and business considerations.

10.5 Customer Notification

Where Ojoo becomes aware of a confirmed Security Incident affecting Customer Data or services within Ojoo's reasonable control, Ojoo may notify affected Customers without undue delay, subject to legal, regulatory, contractual, operational, and security considerations.

Initial notifications may be limited in scope, and additional information may be provided as investigations progress and verified information becomes available.

10.6 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain responsible for monitoring, detecting, investigating, responding to, and managing Security Incidents affecting Customer-managed servers, databases, operating systems, networks, backup systems, endpoints, hosting environments, and related infrastructure.

Ojoo's responsibilities generally apply only to software products, support activities, and systems within Ojoo's reasonable control.

10.7 Cooperation and Coordination

Where reasonably necessary and appropriate, Ojoo may cooperate with Customers, service providers, advisors, legal representatives, regulatory authorities, or other relevant parties in connection with the investigation, management, containment, mitigation, or recovery of Security Incidents.

10.8 Incident Documentation

Ojoo may maintain records, reports, logs, findings, corrective actions, lessons learned, or other documentation relating to Security Incidents for operational, security, compliance, audit, legal, or business purposes.

10.9 Continuous Improvement

Following Security Incidents, Ojoo may review response activities, identify improvement opportunities, evaluate operational lessons learned, and implement reasonable corrective actions designed to strengthen security practices and reduce future risks.

10.10 No Guarantee Against Security Incidents

No software application, information system, network, hosting environment, cloud service, technology platform, or security program can be guaranteed to be completely secure. While Ojoo seeks to implement reasonable safeguards and response procedures, Ojoo does not guarantee that Security Incidents will never occur.

10.11 Relationship to Other Policies

This section should be read together with Ojoo's Terms of Service, Privacy Policy, Data Processing Agreement (DPA), Service Level Agreement (SLA), and other applicable policies, procedures, and contractual commitments relating to information security, privacy, and data protection.

11. Vendor and Third-Party Security

Ojoo may engage third-party vendors, service providers, contractors, technology partners, infrastructure providers, communication providers, and other external organizations to support business operations, software development, service delivery, customer support, security activities, and other operational requirements.

Ojoo seeks to take reasonable steps to evaluate and manage security, privacy, operational, and business risks associated with third-party relationships that may affect the Services or information assets within Ojoo's reasonable control.

11.1 Vendor Selection

Where appropriate, Ojoo may consider factors such as security practices, operational reliability, service capabilities, reputation, compliance requirements, contractual commitments, business needs, and risk considerations when selecting vendors and third-party service providers.

11.2 Contractual Requirements

Ojoo may require vendors, contractors, service providers, and other third parties to comply with applicable contractual obligations, confidentiality requirements, privacy commitments, security expectations, and legal requirements relevant to the services they provide.

11.3 Access to Information

Access to Ojoo systems, applications, services, information assets, or Customer Data by third parties should be limited to authorized purposes and only to the extent reasonably necessary to provide services, fulfill contractual obligations, support operations, or address legitimate business requirements.

Where appropriate, access rights may be restricted, monitored, reviewed, modified, or revoked based on business needs, contractual requirements, operational considerations, and security requirements.

11.4 Subprocessors and Service Providers

Where applicable, Ojoo may engage authorized subprocessors, infrastructure providers, communication providers, cloud providers, payment providers, analytics providers, support providers, or other service providers in connection with the delivery of Services.

Such providers may be subject to applicable contractual, confidentiality, privacy, and security obligations appropriate to the services they perform.

11.5 Monitoring and Review

Ojoo may periodically review, evaluate, or reassess third-party relationships based on business needs, operational requirements, security considerations, service performance, legal obligations, and risk management objectives.

11.6 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain responsible for evaluating, selecting, managing, securing, and monitoring third-party vendors, hosting providers, infrastructure providers, cloud services, communication providers, software providers, and technology partners utilized within Customer-managed environments.

Ojoo shall not be responsible for the security, availability, performance, compliance, or operational practices of third-party services selected, managed, or controlled by the Customer.

11.7 Third-Party Risks

Despite reasonable vendor management efforts, third-party services may introduce operational, security, privacy, availability, performance, compliance, or business risks. Ojoo cannot guarantee the actions, performance, security posture, or reliability of independent third-party organizations.

11.8 Incident Cooperation

Where reasonably appropriate, Ojoo may cooperate with vendors, service providers, Customers, regulatory authorities, legal representatives, or other relevant parties in connection with security incidents, operational issues, investigations, compliance activities, or service disruptions involving third-party services.

11.9 Changes to Vendors and Service Providers

Ojoo may add, remove, replace, modify, or update vendors, subprocessors, technology providers, infrastructure providers, or other third-party relationships from time to time based on business needs, operational requirements, service delivery considerations, security requirements, legal obligations, and other relevant factors.

11.10 No Guarantee of Third-Party Security

While Ojoo seeks to work with reputable vendors and service providers, Ojoo does not guarantee the security, availability, reliability, compliance, performance, or practices of independent third-party organizations and shall not be responsible for matters outside its reasonable control.

12. Physical Security

Ojoo recognizes the importance of protecting physical assets, equipment, information resources, and operational environments from unauthorized access, damage, theft, loss, interference, or other physical security risks.

Physical security measures are intended to support the confidentiality, integrity, availability, and protection of information assets, technology resources, systems, and business operations within Ojoo's reasonable control.

12.1 Protection of Physical Assets

Ojoo seeks to take reasonable measures to protect computers, servers, network equipment, storage devices, documents, mobile devices, and other physical assets used in connection with business operations and service delivery.

12.2 Authorized Access

Access to physical workspaces, operational areas, equipment, and technology resources should be limited to authorized personnel, contractors, service providers, or visitors who have a legitimate business need for access.

Access permissions may be granted, modified, reviewed, restricted, or revoked based on business requirements, operational needs, and security considerations.

12.3 Visitor Management

Visitors, contractors, vendors, service providers, and other third parties accessing physical locations under Ojoo's control may be subject to reasonable access restrictions, supervision requirements, security procedures, or identification requirements where appropriate.

12.4 Device Security

Personnel are expected to take reasonable precautions to protect company-owned and authorized devices from theft, unauthorized access, damage, loss, misuse, or unauthorized disclosure of information.

Reasonable measures may include secure storage, device locking, credential protection, controlled access, and appropriate handling practices.

12.5 Secure Disposal

When equipment, storage devices, documents, records, or other information assets are no longer required, Ojoo may take reasonable steps to securely dispose of, destroy, erase, archive, or otherwise manage such assets in accordance with applicable operational, contractual, legal, and regulatory requirements.

12.6 Environmental Considerations

Where applicable, reasonable efforts may be taken to protect technology resources and information assets from environmental risks such as fire, water damage, power disruptions, equipment failures, natural disasters, or other operational threats.

12.7 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain solely responsible for the physical security of servers, data centers, network equipment, backup systems, storage devices, workstations, facilities, and other infrastructure components under their control.

Ojoo does not manage or control Customer facilities, physical environments, hardware assets, or infrastructure resources unless otherwise expressly agreed in writing.

12.8 Third-Party Facilities

Where third-party facilities, hosting providers, data centers, infrastructure providers, or technology partners are utilized, Ojoo may rely on the physical security measures implemented by such third parties. Ojoo does not control and cannot guarantee the physical security practices of independent third-party organizations.

12.9 Incident Reporting

Personnel should promptly report suspected theft, unauthorized physical access, loss of equipment, facility security concerns, tampering, vandalism, or other physical security incidents through appropriate reporting channels.

12.10 No Absolute Security Guarantee

While Ojoo seeks to implement reasonable physical security measures, no facility, device, workplace, storage environment, or physical security program can be guaranteed to be completely secure. Physical security risks may still arise despite reasonable precautions and protective measures.

13. Employee Security and Awareness

Ojoo recognizes that employees, contractors, consultants, and authorized personnel play an important role in maintaining the security, confidentiality, integrity, and availability of information assets, systems, applications, services, and business operations.

Ojoo seeks to promote a culture of security awareness, responsible behavior, and accountability through reasonable security practices, guidance, operational procedures, and awareness initiatives.

13.1 Security Responsibilities

Personnel are expected to understand and comply with applicable security policies, procedures, confidentiality obligations, acceptable use requirements, operational practices, and legal or contractual obligations relevant to their roles and responsibilities.

13.2 Confidentiality Obligations

Personnel who have access to Customer Data, confidential information, business information, intellectual property, or other sensitive assets may be subject to confidentiality obligations and are expected to protect such information from unauthorized access, disclosure, misuse, alteration, or loss.

13.3 Security Awareness

Ojoo may provide guidance, resources, communications, operational instructions, awareness initiatives, or other educational materials intended to promote responsible security practices and support information security objectives.

Security awareness topics may include:

  • Password and credential security.
  • Phishing and social engineering awareness.
  • Protection of confidential information.
  • Acceptable use of systems and technology resources.
  • Incident reporting procedures.
  • Remote work security practices.
  • Data protection and privacy responsibilities.
13.4 Access Management

Personnel shall access systems, applications, services, and information only to the extent necessary to perform authorized job functions and business responsibilities.

Access rights may be granted, modified, reviewed, restricted, or revoked based on operational requirements, role changes, organizational changes, contractual relationships, or termination of employment or engagement.

13.5 Secure Use of Technology Resources

Personnel are expected to use company-authorized systems, devices, applications, networks, communication tools, and technology resources responsibly and in accordance with applicable policies, procedures, and operational requirements.

13.6 Incident Reporting

Personnel should promptly report suspected security incidents, unauthorized access attempts, credential compromise, phishing attempts, malware infections, policy violations, vulnerabilities, data exposure events, or other security concerns through appropriate reporting channels.

13.7 Remote Work and Mobile Security

Where remote work arrangements are utilized, personnel are expected to take reasonable precautions to protect devices, credentials, communications, systems, and information accessed outside traditional office environments.

Reasonable precautions may include secure authentication practices, device protection measures, secure internet connections, software updates, and protection against unauthorized access.

13.8 Personnel Separation and Access Revocation

Upon termination of employment, contract expiration, role changes, or other circumstances affecting authorization, Ojoo may take reasonable steps to restrict, suspend, revoke, or modify access to systems, applications, services, facilities, information assets, and technology resources as appropriate.

13.9 Violations and Non-Compliance

Failure to comply with applicable security requirements, operational procedures, confidentiality obligations, acceptable use standards, or other information security expectations may result in corrective actions, access restrictions, disciplinary measures, contractual remedies, or other appropriate actions consistent with applicable laws and agreements.

13.10 Continuous Improvement

Ojoo may periodically review and improve security awareness initiatives, personnel security practices, operational guidance, training materials, and related security programs to address evolving risks, business requirements, technology changes, and operational needs.

13.11 Shared Responsibility

Information security is a shared responsibility. All personnel are expected to contribute to the protection of information assets, systems, applications, services, and Customer Data by acting responsibly, following established practices, and supporting Ojoo's information security objectives.

14. Acceptable Use

Ojoo expects all users, Customers, employees, contractors, and authorized personnel to use the Services, systems, applications, networks, information assets, and technology resources responsibly, lawfully, and in a manner consistent with applicable agreements, business purposes, security requirements, and legal obligations.

The purpose of this Acceptable Use section is to promote the secure, reliable, and appropriate use of information assets and to reduce risks to Customers, users, systems, services, and business operations.

14.1 Authorized Use

Users may access and use systems, applications, services, networks, information assets, and technology resources only for authorized business, operational, support, administrative, or other legitimate purposes consistent with applicable agreements and permissions.

14.2 Protection of Credentials

Users are responsible for protecting usernames, passwords, authentication credentials, access tokens, API keys, and other security credentials from unauthorized access, disclosure, misuse, or compromise.

Users shall not share credentials, allow unauthorized account access, or attempt to circumvent authentication or security controls.

14.3 Prohibited Activities

Users shall not engage in activities that may compromise the security, availability, integrity, confidentiality, performance, or lawful operation of systems, applications, services, networks, or information assets.

Prohibited activities include, but are not limited to:

  • Unauthorized access to systems, applications, accounts, networks, or data.
  • Attempting to bypass, disable, interfere with, or circumvent security controls.
  • Introducing malware, viruses, ransomware, malicious code, or harmful software.
  • Conducting unauthorized vulnerability scanning, penetration testing, or security testing.
  • Interfering with service availability, performance, or normal operations.
  • Accessing, modifying, deleting, or disclosing information without authorization.
  • Misrepresenting identity, credentials, authority, or authorization.
  • Using the Services for unlawful, fraudulent, deceptive, or malicious purposes.
14.4 Data Protection Responsibilities

Users are expected to handle Customer Data, confidential information, business information, personal information, and other sensitive data responsibly and in accordance with applicable agreements, privacy requirements, legal obligations, and operational practices.

14.5 Software and System Integrity

Users shall not intentionally damage, disrupt, alter, misuse, reverse engineer, tamper with, or compromise systems, applications, services, software, infrastructure, security mechanisms, or technology resources except where expressly authorized by applicable agreements or law.

14.6 Third-Party Services

Users shall comply with applicable terms, restrictions, licensing requirements, security requirements, and legal obligations relating to third-party software, services, integrations, infrastructure, or technology resources utilized in connection with the Services.

14.7 Export Control and Sanctions Compliance

Users shall not use the Services in violation of applicable export control laws, trade restrictions, sanctions regulations, embargoes, or other legal requirements governing the transfer, access, use, or distribution of technology, software, information, or services.

14.8 Customer-Hosted Deployments

For Customer-hosted or on-premise deployments, Customers remain responsible for establishing, enforcing, monitoring, and maintaining acceptable use policies, user access controls, security controls, operational procedures, and technology usage requirements within their own environments.

14.9 Monitoring and Enforcement

Where permitted by applicable law and contractual obligations, Ojoo may investigate suspected violations of this Policy and may take reasonable actions to protect systems, services, Customers, users, information assets, and business operations.

Such actions may include access restrictions, suspension of access, security reviews, incident investigations, corrective actions, or other appropriate measures.

14.10 Reporting Violations

Users should promptly report suspected violations of this Policy, unauthorized activities, security concerns, misuse of systems, credential compromise, or other information security concerns through appropriate reporting channels.

14.11 Consequences of Violations

Violations of this Policy may result in access restrictions, suspension of services, removal of access privileges, contractual remedies, disciplinary measures, legal action, or other appropriate actions consistent with applicable laws, agreements, and business requirements.

15. Compliance and Audits

Ojoo seeks to maintain information security practices designed to support compliance with applicable legal, regulatory, contractual, operational, and business requirements relevant to its products, services, and business operations.

Compliance activities are intended to promote accountability, risk management, operational integrity, information security, privacy protection, and continuous improvement across the organization.

15.1 Compliance Obligations

Ojoo may take reasonable steps to comply with applicable laws, regulations, contractual obligations, privacy requirements, information security requirements, and other legal or operational obligations relevant to its business activities.

Compliance requirements may vary depending on the nature of the Services, deployment models, customer requirements, geographic locations, and applicable legal frameworks.

15.2 Internal Reviews

Ojoo may periodically review, assess, evaluate, or monitor its information security practices, operational procedures, access controls, security measures, and compliance activities to identify improvement opportunities and support security objectives.

15.3 Risk Management

Ojoo may perform reasonable risk assessment, risk evaluation, and risk management activities to identify, prioritize, and address security, operational, privacy, compliance, and business risks that may affect systems, applications, services, or information assets.

15.4 Customer Audits and Assessments

Customers may request information regarding Ojoo's security, privacy, operational, or compliance practices where reasonably necessary to support due diligence, procurement activities, contractual requirements, or regulatory obligations.

Ojoo may provide such information subject to confidentiality, security, legal, operational, and business considerations.

15.5 Audit Limitations

Ojoo is not obligated to provide unrestricted access to internal systems, source code, confidential business information, security records, proprietary information, facilities, personnel, or other sensitive information as part of any audit, assessment, review, or customer inquiry.

Any audit-related access or information sharing may be subject to reasonable restrictions, confidentiality obligations, security requirements, and mutually agreed procedures.

15.6 Customer Responsibilities

Customers remain responsible for ensuring their own compliance with applicable laws, regulations, contractual obligations, privacy requirements, industry standards, and internal governance requirements relating to their use of the Services.

For Customer-hosted or on-premise deployments, Customers are solely responsible for compliance obligations relating to their infrastructure, hosting environments, networks, databases, backup systems, security controls, operational procedures, and technology resources.

15.7 No Certification Representation

Unless expressly stated in writing, Ojoo does not represent, warrant, or certify that it maintains any specific certification, attestation, accreditation, audit report, compliance framework, or industry standard, including but not limited to ISO 27001, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, GDPR certification, or similar programs.

References to security practices, controls, procedures, or operational measures in this Policy should not be interpreted as a representation that Ojoo has obtained any particular certification or independent audit attestation.

15.8 Regulatory Cooperation

Where required by applicable law, regulation, court order, lawful government request, or contractual obligation, Ojoo may cooperate with regulatory authorities, governmental agencies, auditors, legal representatives, or other authorized parties in connection with compliance activities, investigations, legal proceedings, or regulatory requirements.

15.9 Continuous Improvement

Ojoo may periodically review, improve, update, and refine its security practices, operational procedures, compliance activities, risk management processes, and governance measures to address evolving legal requirements, business needs, technology changes, security risks, and customer expectations.

15.10 No Guarantee of Compliance Outcomes

While Ojoo seeks to implement reasonable compliance, security, privacy, and operational practices, Ojoo does not guarantee that the Services or Customer environments will satisfy every legal, regulatory, contractual, operational, industry-specific, or customer compliance requirement. Customers remain responsible for evaluating the suitability of the Services for their specific compliance needs.

16. Policy Updates

Ojoo may modify, update, revise, amend, or replace this Security Policy from time to time to reflect changes in business operations, services, technology, security practices, legal requirements, regulatory obligations, operational processes, industry standards, or risk management considerations.

Policy updates are intended to ensure that this Security Policy remains relevant, accurate, effective, and aligned with evolving business, security, privacy, operational, and compliance requirements.

16.1 Reasons for Updates

Ojoo may update this Security Policy for reasons including, but not limited to:

  • Changes to products, services, or service offerings.
  • Technology upgrades and infrastructure changes.
  • Security improvements and risk management initiatives.
  • Legal, regulatory, or contractual requirements.
  • Changes to operational processes or business practices.
  • Industry developments, standards, or best practices.
  • Feedback from customers, partners, auditors, or stakeholders.
16.2 Effective Date of Changes

Updated versions of this Security Policy shall become effective on the date specified within the revised Policy unless otherwise stated.

Ojoo may maintain and publish the most current version of this Security Policy through its website, customer portal, documentation, or other appropriate communication channels.

16.3 Notice of Material Changes

Where reasonably practicable, Ojoo may provide notice of material changes to this Security Policy through email communications, customer portals, website announcements, application notifications, support channels, or other reasonable communication methods.

16.4 Customer Review Responsibility

Customers are responsible for periodically reviewing the current version of this Security Policy and remaining informed regarding applicable security practices, operational requirements, and policy updates.

16.5 Relationship to Other Agreements

Updates to this Security Policy shall be read together with the Terms of Service, Privacy Policy, Cookie Policy, Data Processing Agreement (DPA), Service Level Agreement (SLA), and other applicable agreements governing the use of the Services.

Nothing in this Security Policy shall be interpreted as modifying, replacing, or overriding contractual obligations expressly agreed in a separate written agreement between Ojoo and a Customer unless otherwise stated.

16.6 Continuous Improvement

Ojoo seeks to periodically review, evaluate, and improve its security practices, governance measures, operational procedures, technical safeguards, and risk management activities as part of its ongoing commitment to information security and business resilience.

16.7 No Retroactive Effect

Unless required by applicable law, updates to this Security Policy shall apply prospectively from their effective date and shall not retroactively alter rights, obligations, responsibilities, or liabilities that arose prior to such effective date.

17. Contact Information

If you have any questions regarding this Security Policy, information security practices, security incidents, data protection measures, compliance matters, or other security-related concerns, you may contact Ojoo using the information provided below.

Ojoo shall use commercially reasonable efforts to review and respond to security-related inquiries, reports, and communications within a reasonable timeframe, subject to the nature, complexity, severity, and urgency of the matter.

OJOO SOFTWARE SERVICES PRIVATE LIMITED

Website:
https://ojoo.app

General Support:
support@ojoo.org

Security Inquiries:
support@ojoo.org

Privacy and Compliance Inquiries:
support@ojoo.org

Registered Office Address:
FRF1, Mithra Enclave,
Doddakallasandra,
Bengaluru, Karnataka – 560062,
India

Business Hours:
Monday – Friday
9:00 AM – 6:00 PM IST
Excluding public holidays and company-observed holidays

17.1 Security Incident Reporting

Customers, users, employees, contractors, service providers, and other stakeholders are encouraged to promptly report suspected security incidents, vulnerabilities, unauthorized access attempts, credential compromise, malware activity, data exposure events, policy violations, or other security concerns through the contact channels provided above.

17.2 Responsible Communication

Individuals reporting security concerns should provide sufficient information to assist with investigation and assessment activities, including relevant dates, affected systems, descriptions of the issue, supporting evidence, and other reasonably available details.

17.3 Cooperation

Where reasonably appropriate, Ojoo may cooperate with Customers, authorized representatives, service providers, legal advisors, regulatory authorities, and other relevant parties in connection with information security matters, investigations, compliance activities, incident response efforts, and operational security requirements.

17.4 Policy Questions

Questions regarding the interpretation, application, scope, or implementation of this Security Policy may be directed to Ojoo through the contact information provided above.

This Security Policy should be read together with Ojoo's Terms of Service, Privacy Policy, Cookie Policy, Data Processing Agreement (DPA), Service Level Agreement (SLA), and other applicable agreements governing the use of Ojoo's products and services.