ISMS Policy Statement

ISO 27001:2022 Certified

Certified by DNV — Certificate of Conformity

Last updated: March 2026

1. Policy Statement

CodeMax IT Solutions Pvt Ltd ("CodeMax", "Company", "we", "us", or "our") is committed to protecting the confidentiality, integrity, and availability of all information assets entrusted to us by our clients, partners, employees, and stakeholders. Information security is fundamental to our business operations, client trust, and regulatory compliance.

Our Information Security Management System (ISMS) has been designed, implemented, and is continually maintained in accordance with the requirements of ISO/IEC 27001:2022. This policy establishes the framework, objectives, and commitments that govern our approach to information security across all business functions, products, and services.

This ISMS Policy is approved by senior management and is binding on all employees, contractors, consultants, and third parties who access CodeMax information assets.

2. Scope

The ISMS applies to all information assets, business processes, systems, infrastructure, and personnel involved in the design, development, delivery, maintenance, and support of CodeMax's products and services. Specifically, the scope encompasses:

2.1 Products

• Astra — Core banking platform (account management, payment processing, FX operations, mobile banking)
• Prisma — Banking CRM and digital onboarding platform (KYC/KYB, compliance workflows, case management)
• Orion — Real-time AML transaction monitoring and sanctions screening engine
• Nova — AI-powered compliance intelligence platform
• Constellation — Integrated product suite combining Astra, Prisma, Orion, and Nova

2.2 Professional Services

• SIEM & Security Monitoring
• Cybersecurity services (penetration testing, security audits, vulnerability assessments)
• Virtual Executive services (vCISO, vCTO)
• RegTech Consulting
• Open Banking & PSD2 advisory
• Training & capacity building
• Managed Cloud services (PCI-DSS compliant hosting)
• Quality Assurance & Testing
• Data Analytics
• Digital Identity & eKYC solutions

2.3 Infrastructure & Data

• Internal IT infrastructure, networks, servers, endpoints, and support systems
• Cloud infrastructure (hosted in India and EU data centres)
• Development, staging, and production environments
• Client data, including personal data, financial transaction data, KYC/KYB records, AML screening data, and compliance documentation
• Corporate data, including employee records, financial records, and intellectual property
• Cookie and tracking data consent management systems

3. Information Security Objectives

CodeMax is committed to achieving the following information security objectives:

• Protect all information assets against unauthorised access, disclosure, modification, destruction, or interference.
• Ensure the availability and resilience of critical business systems and services.
• Maintain the confidentiality of client data, particularly sensitive financial and personal data processed through our products.
• Preserve the integrity of data processed by our transaction monitoring, KYC/KYB, and AML screening systems.
• Comply with all applicable legal, regulatory, and contractual obligations related to information security and data protection.
• Establish, review, and achieve measurable information security objectives aligned with our business strategy.
• Foster a culture of security awareness among all employees, contractors, and stakeholders.
• Continuously improve the effectiveness of the ISMS through regular monitoring, measurement, analysis, and evaluation.

4. Risk Management

CodeMax adopts a systematic, risk-based approach to information security in accordance with ISO 27001:2022 Clause 6.1. Our risk management framework includes:

• Risk identification: Systematic identification of information security risks to our assets, processes, and services through threat and vulnerability analysis.
• Risk assessment: Evaluation of identified risks based on likelihood and impact to determine risk levels and prioritise treatment.
• Risk treatment: Implementation of appropriate controls from ISO 27001:2022 Annex A and supplementary measures to mitigate, transfer, accept, or avoid identified risks.
• Risk monitoring: Ongoing monitoring and review of residual risks, control effectiveness, and the threat landscape to ensure that risk treatment measures remain appropriate.
• Risk register: Maintenance of a comprehensive risk register documenting all identified risks, their assessments, treatment plans, risk owners, and review dates.

Risk assessments are conducted at planned intervals and whenever significant changes to systems, processes, or the threat environment occur.

5. Access Control

Access to information assets is controlled based on the following principles:

• Principle of least privilege: Users are granted the minimum level of access necessary to perform their duties.
• Need-to-know basis: Access to sensitive information is restricted to personnel who have a legitimate business requirement.
• Role-based access control (RBAC): Access rights are assigned based on job roles and responsibilities, with regular reviews to ensure accuracy.
• Multi-factor authentication (MFA): MFA is enforced for access to critical systems, production environments, and administrative consoles.
• Access reviews: User access rights are reviewed periodically and upon any change in employment status or role.
• Privileged access management: Privileged accounts are subject to enhanced monitoring, logging, and periodic review.

6. Data Classification

All information assets are classified according to their sensitivity and criticality to ensure that appropriate protection measures are applied:

• Confidential: Highly sensitive data including client financial data, personal data, KYC/KYB records, AML screening results, trade secrets, and proprietary source code. Unauthorised disclosure could cause significant harm to CodeMax or its clients.
• Internal: Information intended for use within CodeMax only, including internal policies, procedures, project documentation, and employee records. Not intended for external distribution.
• Public: Information approved for public dissemination, including marketing materials, website content, press releases, and published documentation.

Data classification determines the handling, storage, transmission, retention, and disposal requirements applicable to each category of information.

7. Incident Response

CodeMax maintains a documented information security incident response procedure to ensure the timely detection, reporting, assessment, and resolution of security incidents. Key elements include:

• Detection & reporting: All employees and contractors are required to report suspected or actual security incidents immediately through defined channels.
• Assessment & classification: Reported incidents are assessed for severity, impact, and scope. Incidents involving personal data breaches are classified separately for regulatory notification purposes.
• Containment & eradication: Immediate actions are taken to contain the incident, prevent further damage, and eradicate the root cause.
• Recovery: Affected systems and services are restored to normal operation with verified integrity.
• Notification: Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we notify the relevant supervisory authority within 72 hours (GDPR Article 33) and affected data subjects without undue delay where the risk is high (GDPR Article 34). Under the DPDPA 2023, we notify the Data Protection Board of India as prescribed.
• Post-incident review: All incidents are subject to a post-incident review to identify lessons learned and implement corrective actions to prevent recurrence.

8. Business Continuity

CodeMax maintains business continuity and disaster recovery plans to ensure the continued availability of critical services and the timely recovery of operations in the event of a disruption. Our business continuity framework includes:

• Business impact analysis (BIA) to identify critical business functions and their recovery priorities.
• Defined recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.
• Regular data backups with tested restoration procedures.
• Geographic redundancy for critical infrastructure across India and EU data centres.
• Regular testing and exercising of business continuity and disaster recovery plans.
• Defined communication and escalation procedures for crisis management.

9. Regulatory & Legal Compliance

The ISMS is designed to ensure compliance with all applicable legal, regulatory, and contractual requirements related to information security and data protection. These include, but are not limited to:

• ISO/IEC 27001:2022: The international standard for information security management systems, to which our ISMS is certified.
• EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 governing the protection of personal data of EEA residents.
• India's Digital Personal Data Protection Act, 2023 (DPDPA): The Indian legislation governing the processing of digital personal data.
• PCI-DSS awareness: While CodeMax itself is not PCI-DSS certified, our Managed Cloud services are designed with PCI-DSS requirements in mind, and we support clients in achieving and maintaining their own PCI-DSS compliance.
• Anti-Money Laundering (AML) regulations:Our Orion product is designed to support clients' compliance with applicable AML directives and regulations, including the EU Anti-Money Laundering Directives.
• Information Technology Act, 2000 (India): Including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

For details on how we handle personal data, please refer to our Privacy Policy. For details on cookie and tracking data management, please refer to our Cookie Policy.

10. Third-Party Security

CodeMax recognises that third-party relationships introduce information security risks. We manage these risks through:

• Due diligence: Security assessments of third-party vendors and service providers prior to engagement, evaluating their security posture, certifications, and data protection practices.
• Contractual safeguards: Agreements with third parties include information security requirements, data protection obligations, incident notification requirements, and audit rights.
• Ongoing monitoring: Regular review of third-party compliance with contractual security requirements and reassessment of their security posture.
• Access restrictions: Third-party access to CodeMax systems and data is limited to what is strictly necessary and subject to the same access control principles applied to internal personnel.

11. Employee Security

All employees, contractors, and consultants are integral to the effectiveness of our ISMS. Our employee security programme includes:

• Pre-employment screening: Background checks and reference verification for all employees, commensurate with the sensitivity of their role.
• Security awareness training: Mandatory information security awareness training for all new employees upon joining and annual refresher training for all personnel. Training covers data protection, phishing awareness, incident reporting, acceptable use, and social engineering.
• Acceptable use policies: Clear policies governing the acceptable use of information assets, devices, email, internet, and social media.
• Confidentiality agreements: All employees and contractors sign confidentiality and non-disclosure agreements as a condition of access to CodeMax information assets.
• Termination procedures: Defined procedures for revoking access, returning assets, and conducting exit interviews upon termination or role change.

12. Continuous Improvement

CodeMax is committed to the continual improvement of the ISMS in accordance with ISO 27001:2022 Clause 10. Our improvement process includes:

• Internal audits: Regular internal audits of the ISMS conducted at planned intervals to assess conformity with ISO 27001:2022 requirements and our own policies and procedures.
• Management reviews: Periodic management reviews to evaluate the suitability, adequacy, and effectiveness of the ISMS, including consideration of changes in internal and external issues, nonconformities, monitoring results, and improvement opportunities.
• External audits by DNV: Annual surveillance audits and periodic recertification audits conducted by DNV to verify continued compliance with ISO 27001:2022.
• Corrective actions: Documented corrective action procedures for addressing nonconformities, security incidents, audit findings, and identified improvement opportunities.
• Performance metrics: Key performance indicators (KPIs) are established, monitored, and reported to measure the effectiveness of security controls and the ISMS overall.

13. Roles & Responsibilities

Information security is the responsibility of all individuals who access CodeMax information assets. Specific roles and responsibilities include:

• Senior Management: Provides strategic direction, resources, and support for the ISMS. Ensures that information security objectives are aligned with business strategy and that the ISMS is integrated into organisational processes.
• Information Security Officer: Responsible for the day-to-day management, implementation, and oversight of the ISMS. Coordinates risk assessments, audits, incident response, and compliance activities.
• Data Protection Officer: Ensures compliance with GDPR, DPDPA, and other data protection regulations. Handles data subject rights requests and serves as the point of contact for supervisory authorities.
• Department Heads / Team Leads: Responsible for ensuring that information security policies and procedures are implemented within their respective departments and teams.
• All Employees & Contractors: Responsible for complying with the ISMS policies and procedures, completing required security training, and reporting security incidents and vulnerabilities promptly.

14. Certification

CodeMax IT Solutions Pvt Ltd's Information Security Management System is certified to ISO/IEC 27001:2022 by DNV (Det Norske Veritas), an internationally accredited certification body. The certification scope covers the design, development, delivery, and support of our fintech products and professional services.

Our certification is subject to annual surveillance audits and periodic recertification audits by DNV to verify ongoing compliance with the standard. The current certificate of conformity is available upon request.

15. Contact

For questions, concerns, or requests relating to this ISMS Policy, information security, or our ISO 27001:2022 certification, please contact us: