BRING-YOUR-OWN-DEVICE (“BYOD”) ACCEPTABLE USE POLICY

INTRODUCTION

M/s. Sorting Hat Technologies Private Limited (the “Company”) grants its end users the privilege of using
their personally-owned-device (“Device/s”) for Company’s work-related purpose. This Policy is intended
to protect the security and integrity of the Company’s data and technology infrastructure. To achieve this
goal all end users are expected to adhere to this Policy in order to be able to connect their devices to the
Company’s network. The Company reserves its right to revoke this privilege at any given time if the end
user does not abide by this Policy and Procedures or by its sole discretion as outlined below.

PURPOSE

The purpose of this Policy is to define the Company’s standards, procedures, and restrictions for end
users who are willing to connect their Device with Company’s network for the Company’s work-related
purposes. This Policy applies, but is not limited to all Devices and accompanying media (e.g. USB thumb
and external hard drives) that fit the following classifications:
● Smartphones
● Other mobile/cellular phones
● Tablet computers
● Portable media devices
● PDAs
● Ultra-mobile PCs (UMPCs)
● Laptop/notebook computers, including home desktops
● Any personally-owned device capable of storing Company’s data and connecting to a network.

This Policy applies to any hardware and related software that is not organisationally owned or supplied,
but could be used to access organisational resources. That is, devices that employees or end users have
acquired for personal use but also wish to use in the business environment.
The overriding goal of this Policy is to protect the integrity of the confidential information, client’s details
and any business data that resides within the Company’s technology infrastructure. This Policy intends
to prevent this data from being deliberately or inadvertently stored insecurely on a device or carried
over an insecure network where it could potentially be accessed by unsanctioned resources. A breach
of this type could result in loss of information, damage to critical applications, loss of revenue, and
damage to the Company’s public image. Therefore, all end users using their Devices connected to
Company’s network, and/or capable of backing up, storing, or otherwise accessing Company’s
organisational data of any type, must adhere to Company-defined processes for doing so.
 APPLICABILITY

This Policy applies to all end users, employees, including full and part-time staff, contractors,
freelancers, and other agents (collectively referred to as “end users”) who intend to use their owned
Devices to access, store, back up, or relocate any Company’s or client’s-specific data. Such access of
confidential data is a privilege, not a right, and forms the basis of the trust where Company has built
with its Learners, Educators, Other customers, Consultants and Vendors, and other constituents.
Consequently, engagement by Company does not automatically guarantee the initial or ongoing ability
to use these Devices to gain access to Company’s networks and information.

This Policy addresses a range of threats to Company’s data, or related to its use:
Threat Description

Device Loss Devices used to transfer or transport work files could be lost or stolen.

Data Theft
Sensitive Company’s data is deliberately stolen and sold by an end user to
unsanctioned third party.

Malware
Viruses, Trojans, worms, spyware, and other threats could be introduced via
Devices.

Loss or theft of financial and/or personal and confidential data could expose the
Compliance Company to the risk of non-compliance with various identity theft and privacy
laws.

Addition of new hardware, software, and/or related components to provide additional Device
connectivity will be managed and decided by the Company at its sole discretion. Non-sanctioned use of
Devices to back up, store, and otherwise access any Company-related data is strictly forbidden.

This Policy is complementary to any previously implemented policies dealing specifically with data
access, data storage, data movement, and connectivity of Devices to any element of the enterprise
network.

RESPONSIBILITIES

The end users who are governed by this Policy must take responsibility for their own Device and how they
use it. They must:

i. Familiarise themselves with their Device and its security features so that they can ensure the safety
measures taken for Company’s information (as well as their own information).
 ii. Maintain the Device themselves ensuring it is regularly patched and upgraded.

iii. The Company shall not take any responsibility in resolving the issues in the Devices or any kind of
support which may be required by the end user in relation to the Devices.
iv. The end user must take all steps to:

a. Prevent theft and loss of data;

b. Keep information confidential where appropriate;

c. Maintain the integrity of data and information;

d. Take responsibility for any software they download onto their Device.

v. The end user must:

a. Set up passwords, passcodes, passkeys or biometric equivalents. These must be of

sufficient length and complexity for the particular type of Device;

b. Encrypt documents or Devices as necessary;

c. Where it is essential that information belonging to the Company is held on a Device it

should be deleted as soon as possible once it is no longer required. This includes
information contained within emails.

vi. Ensure that relevant information is copied back onto Company’s systems and manage any potential
data integrity issues with existing information;

vii. Report the loss of any Device immediately containing Company’s data (including email) to the IT
Help desk and/or your reporting manager.

viii. Be aware of any Data Protection issues and ensure personal data is handled appropriately;

ix. Report any security breach immediately to IT Helpdesk and/or your reporting manager.

x. Ensure that no Company information is left on any Device indefinitely. Particular care must be taken
if a Device is disposed of/sold/transferred to a third party.

xi. Ensure that no illegal activities are undertaken using the device and will not store or transmit illicit
materials on the device.

AFFECTED TECHNOLOGY

End users are expected to use multi-factor authentication and strong encryption measures or alternative
compensating controls to isolate and protect any organisational data accessed from or stored on the
device where appropriate when connected to non-organisational equipment. Failure to do so will result in
immediate suspension of all network access privileges so as to protect the Company’s infrastructure.
 REIMBURSEMENT & ALLOWANCE
The Company will not reimburse the Device cost to the end User or any percentage of the cost of the
Device. However, the Company will pay a monthly allowance of Rs. 2000/- (Rupees Two Thousand Only/)
towards the Device being used by the end users for Company’s work during the term of the contract or
employment, as applicable. The Company will not pay any extra charges to the end user for whatsoever
reasons. All Devices must be in accordance with the below mentioned minimum specification
• Processor - Intel Core i5-8265u 3.9GHz, 4 cores or Ryzen processor
• Memory – 8GB DDR4 SDRAM Non-ECC memory
• Storage - 1TB HDD, 5400RPM SATA Gen 3
• Operating System- windows10(any variant), Ubuntu.
• Make- Dell, Lenovo, HP, Asus, Acer.

POLICY AND APPROPRIATE USE

It is the responsibility of the end user who uses a personal Device to access business resources to ensure
that all security protocols normally used in the management of data on conventional storage
infrastructure are also applied here. It is imperative that any mobile device that is used to conduct
Company’s business be utilized appropriately, responsibly, and ethically. Failure to do so will result in
immediate termination of the end user or initiation of appropriate disciplinary actions against the end
user. Based on this requirement, the following rules must be observed:

ACCESS CONTROL
i. IT reserves the right to refuse, by physical and non-physical means, the ability to connect
Devices to Company and Company’s-connected infrastructure. IT will engage in such action if
such equipment is being used in a way that puts the Company’s systems, data, users, and clients
at risk.
ii. Prior to initial use on the Company’s network or related infrastructure, all Devices must be
approved by IT or should be in accordance with the minimum Device requirement as
mentioned in this Policy. The Company may maintain a list of approved technologies with
associated control requirements.
iii. End users who wish to connect such Devices with any other Company’s network infrastructure
to gain access to Company’s data must employ, for their Devices and related infrastructure,
security measures deemed necessary by the IT department. Company’s data is not to be stored
on or accessed from any hardware that fails to meet Company’s established enterprise IT
security standards that are communicated by the Company from time to time.
iv. All Devices attempting to connect to the Company’s network through the Internet may be
inspected using technology centrally managed by Company’s IT department. Devices that are
not in accordance with the minimum device requirements, are not in compliance with IT’s
security policies, or represent any threat to the Company’s network or data will not be allowed
 to connect. Smart mobile devices such as smartphones, tablets, and UMPCs will access the
Company’s network and data using mobile VPN software installed on the device by IT.

SECURITY
End users using the Devices and related software for network and data access will, without exception,
use secure data management procedures. All devices that are able to store data must be protected by
a strong password; a PIN is not sufficient. All data stored on the device must be encrypted using strong
encryption. End user agrees never to disclose their passwords to anyone, including family members, or
store passwords on Devices if business work is conducted from home.
i. All end users of the Devices must employ reasonable physical security measures. End users
are expected to secure all such Devices whether or not they are actually in use and/or being
carried. This includes, but is not limited to, passwords, encryption, and physical control of such
Devices whenever they contain enterprise data.
ii. Any non-business computers used to synchronise with these Devices will have installed up-to-
date anti-virus and anti-malware software deemed necessary by Company’s IT department.
iii. Passwords and other confidential data as defined by Company’s IT department are not to be
stored unencrypted on mobile devices.
iv. Any Device that is being used to store the Company’s data must adhere to the authentication
requirements of the Company's IT department. In addition, all hardware security
configurations must be in accordance with the communication made by the Company’s IT
department from time to time before any enterprise data-carrying device can be connected to
the Company’s network.
v. IT will manage security policies, network, application, and data access centrally using whatever
technology solutions it deems suitable. Any attempt to contravene or bypass that security
implementation will be deemed an intrusion attempt and will be dealt with in accordance with
Company’s overarching security policy.
vi. IT reserves the right, through policy enforcement and any other means it deems necessary, to
limit the ability of end users to transfer data to and from specific resources on the enterprise
network.
vii. Employees, contractors, and temporary staff will follow all enterprise-sanctioned data removal
procedures to permanently erase Company-specific data from such devices once its use is no
longer required.
viii. In the event of a lost or stolen Device, it is incumbent on the end user to report the incident to
IT or its reporting manager immediately. The Device will be remotely wiped of all data and
locked to prevent access by anyone other than IT, if possible. Appropriate steps will be taken
to ensure that Company data on or accessible from the device is secured - including remote
wiping of the Device where appropriate. The remote wipe will destroy all data on the Device,
whether it is related to company business or personal. The end user acknowledges the risk
 associated with the theft of the data from lost and stolen devices and agrees and consents to
the remote wiping of the data, including personal data and the end user agrees that it is the
responsibility of the end user to take additional precautions for personal such as backing up
email, contacts, personal data etc.

HELP & SUPPORT

i. End users to whom this Policy is applicable will not be eligible for support for device-specific
hardware or software from the Company's IT department. If the end user requires
maintenance, the end user is responsible for taking the Device to any third party.
ii. Employees, contractors, and temporary staff will make no modifications to the hardware or
software that change the nature of the Device in a significant way (e.g. replacing or overriding
the operating system or "jail-breaking") without the express approval of the Company's IT
department.

ORGANISATIONAL PROTOCOL
i. IT can and will establish audit trails, which will be accessed, published, and used without notice.
Such trails will be able to track the attachment of an external device to the organisational network,
and the resulting reports may be used for investigation of possible breaches and/or misuse. The
end user agrees to and accepts that his or her access and/or connection to Company’s networks
may be monitored to record dates, times, duration of access, etc., in order to identify unusual
usage patterns or other suspicious activity. The end user hereby agrees and grants consent to the
Company to access all the personal devices of the end user which are used to connect to
organisational network and store any organisational data or use related to organisation. The end
user consents that there is no right to privacy related to use of organizational networks, resources,
or data. This monitoring is necessary in order to identify accounts/computers that may have been
compromised by external parties.
ii. The end user agrees to immediately report to his/her manager and Company’s IT department any
incident or suspected incidents of unauthorized data access, data loss, and/or disclosure of
company resources, databases, networks, etc.
iii. While a Device end user will not be granted access to Company’s resources without accepting the
terms and conditions of this Policy, by signing this Policy, end users acknowledge that they fully
understand the risks and responsibilities of this Policy.
iv. Any questions relating to this Policy should be directed to the IT department or your reporting
manager.
 POLICY NON-COMPLIANCE
Failure to comply with this Policy may, at the full discretion of the organisation, result in the suspension of
any or all technology use and connectivity privileges, disciplinary action, possible termination of
employment or contract of the end user, as well as possible criminal charges.

LIABILITY

The end users are solely responsible for the care and use of Devices they choose to bring to the
Company. The end user bringing these Devices to Company do so at their own risk. The Company and
Company personnel shall not be liable for the loss, damage, misuse, or theft of any Device-owned by
the end user. The Company and the Company personnel shall not be responsible for any negative
consequences to the Devices caused by running specific software or by accessing the third-party
network.

AMENDMENTS

The Company reserves the rights to change/ amend / add /delete/ modify this Policy in whole or in part,
at any time without assigning any reason whatsoever. The end user acknowledges that they will not be
personally advised of any such change/ amendment / addition /deletion/ modification. The end users
are advised to check for any such change/ amendment / addition /deletion/ modification regularly. The
end users hereby unconditionally agree to all such changes / amendments / additions / deletions /
modifications.