Security Policy

Hari Cornucopia Tech Private Limited ("HCTPL", "we", "our", or "us") is a private limited company incorporated on 10 July 2023, registered with the Registrar of Companies, Vijaywada, and currently active. Our Corporate Identification Number (CIN) is U62012AP2023PTC111685.

Our registered office is located at 12-58/B, Jaggayyapalem, Jaggayyapalem, Visakhapatnam, Pedagantyada, Andhra Pradesh, India, 530012. HCTPL maintains operational presence in Vizag & Hyderabad and provides its websites, platforms, and services within India, subject to applicable Indian law.

For legal, privacy, compliance, or policy-related enquiries, you may contact us at haricornucopiatech@gmail.com or through the contact channels published on our website.

This Security Policy applies to HCTPL-operated websites, applications, internal tools, service-delivery environments, integrations, and supporting business processes used to deliver client and internal operations in India.

• Applies to employees, contractors, authorized partners, and approved service providers.
• Applies to both cloud-hosted and locally managed assets where HCTPL has security responsibility.

Security outcomes are achieved through a shared responsibility model between HCTPL, infrastructure providers, integration partners, and client organizations.

HCTPL secures systems and processes within its operational control, while clients remain responsible for secure usage, account administration, data classification, and governance decisions in their own environments.

HCTPL maintains security governance practices aligned with business risk, legal obligations, and operational requirements. Governance includes policy maintenance, role assignment, control ownership, and periodic review.

Material policy, architecture, or control changes are reviewed by designated leadership and relevant stakeholders before implementation where required.

Access to systems and data is governed by least-privilege and need-to-know principles. Access rights are provisioned, reviewed, and revoked based on role, function, and business justification.

Multi-factor authentication (MFA) is enforced where technically feasible for administrative functions, privileged accounts, and sensitive operational environments.

• Segregation of duties is considered for privileged workflows.
• Dormant, excess, or stale access is periodically reviewed and remediated.

HCTPL applies encryption controls for data in transit using modern transport security standards and uses encryption-at-rest controls where supported by infrastructure and service design.

Secrets, credentials, and sensitive tokens are managed through controlled mechanisms and are not intentionally exposed in public code repositories, unsecured channels, or user-facing artifacts.

Infrastructure security includes hardened configurations, controlled deployment pathways, baseline monitoring, and environment separation where required by risk and service design.

Production-like environments are managed with change control and restricted administrative access to reduce unauthorized modification risk.

HCTPL follows secure software development lifecycle practices appropriate to project scope, including code review, dependency awareness, secret handling controls, and risk-based testing before release.

Security requirements are considered during architecture, implementation, testing, and deployment stages to reduce common software vulnerabilities and insecure configurations.

HCTPL conducts vulnerability identification and remediation activities through available tools, advisories, and manual review workflows. Detected issues are triaged by severity, exploitability, and business impact.

Critical and high-risk findings are prioritized for mitigation within operational constraints, and compensating controls may be used where immediate remediation is not feasible.

Security-relevant events are logged where supported by systems and service architecture. Monitoring practices are designed to support operational oversight, anomaly detection, and incident analysis.

Log access is restricted to authorized personnel, and retention settings are managed according to legal, contractual, and business requirements.

HCTPL maintains incident response procedures to identify, contain, investigate, remediate, and recover from security incidents. Response actions are coordinated based on severity and impact.

Where required by applicable law or contractual terms, affected stakeholders may be notified within applicable timelines following validated incident assessment.

Business continuity and disaster recovery considerations are incorporated into service planning to support resilience during infrastructure disruption, vendor outages, or operational emergencies.

Recovery objectives, fallback procedures, and restoration priorities are applied according to service criticality, architecture constraints, and contractual commitments.

HCTPL may rely on third-party providers for hosting, communications, analytics, support tooling, and integration capabilities. Third-party usage is evaluated with risk and business suitability considerations.

While HCTPL seeks commercially reasonable controls, third-party services remain subject to their own policies, availability, and security practices.

HCTPL personnel are expected to follow internal security expectations, confidentiality requirements, and acceptable use standards relevant to their role. Users and client-side administrators are expected to maintain secure account and endpoint practices.

• Protect credentials and never share privileged access without authorization.
• Report suspected phishing, malware, account compromise, or unusual behavior promptly.
• Apply timely updates and secure configurations on managed user endpoints.

To report suspected vulnerabilities, abuse, unauthorized access attempts, or other security concerns, contact HCTPL at haricornucopiatech@gmail.com with relevant details to support triage.

HCTPL may update this Security Policy to reflect legal requirements, security improvements, product changes, or evolving threat conditions. Updated versions will be published with a revised effective date.