Data Privacy and Protection Policy
Applicable Entities
- CeylonCash PVT LTD
1. Policy Overview
This Data Privacy & Protection Policy outlines the principles, controls, and procedures implemented by CeylonCash, CeyLabs, and CeyPay to safeguard personal data, operational information, and sensitive business records.
The purpose of this policy is to:
Protect customer and operational data
Ensure responsible handling of information
Maintain confidentiality, integrity, and availability of data
Support operational security and compliance requirements
Define organizational data protection responsibilities
Reduce risks related to unauthorized access, disclosure, alteration, or loss of data
2. Scope
This policy applies to:
| # | Area | Coverage |
|---|---|---|
| 1 | Customer Data | Personal and operational user information |
| 2 | Operational Data | Internal operational and administrative records |
| 3 | Infrastructure Data | Logs, configurations, and infrastructure records |
3. Data Protection Objectives
Primary objectives include:
Protect sensitive and confidential information
Prevent unauthorized access or disclosure
Ensure secure storage and transmission of data
Maintain operational integrity and availability
Support incident response and recovery capabilities
Maintain appropriate retention and disposal practices
4. Data Classification
Data may be classified into the following categories:
| # | Classification | Description |
|---|---|---|
| 1 | Public | Non-sensitive publicly available information |
| 2 | Internal | Internal operational information |
| 3 | Confidential | Sensitive business or customer information |
| 4 | Restricted | Highly sensitive operational or personal data |
5. Types of Data Processed
Data processed may include:
Customer identification information
Operational account information
Payment and transaction records
Communication records
Infrastructure and security logs
API and integration records
Internal operational documentation
6. Data Collection Principles
Data collection activities are guided by the following principles:
Data minimization
Operational necessity
Purpose limitation
Secure processing practices
Controlled access and usage
Only data reasonably required for operational, security, compliance, or service delivery purposes is collected and processed.
7. Data Storage & Protection Controls
Storage Security Measures
Implemented controls include:
| # | Security Control | Description |
|---|---|---|
| 1 | Encryption | Data encrypted in transit and at rest |
| 2 | Access Controls | Role-based access management |
| 3 | MFA Enforcement | Multi-factor authentication protections |
| 4 | Logging & Monitoring | Access and activity tracking |
Infrastructure Protections
Data is stored within managed cloud infrastructure environments designed to support:
Secure storage
Availability and redundancy
Controlled access
Disaster recovery readiness
Infrastructure monitoring
8. Access Management
Access Control Principles
Access to sensitive data is restricted according to:
Principle of least privilege
Role-based access control (RBAC)
Need-to-know operational requirements
Administrative approval procedures
Administrative Controls
Administrative access includes:
MFA enforcement
Credential management controls
Access logging and auditing
Periodic access reviews
Secure credential rotation practices
9. Data Transmission Security
Data transmitted between systems and services is protected through:
TLS-encrypted communications
Secure API authentication mechanisms
Encrypted administrative access channels
Controlled third-party integrations
10. Backup & Recovery Protection
Backup Security
Backups are protected through:
Encryption at rest and in transit
Restricted administrative access
Segregated backup environments
Backup integrity validation
Controlled restoration procedures
Recovery Objectives
| # | Recovery Metric | Target |
|---|---|---|
| 1 | Recovery Time Objective (RTO) | 2 to 6 Hours |
| 2 | Recovery Point Objective (RPO) | Less than 1 Hour |
11. Data Retention & Disposal
Retention Principles
Data is retained based on:
Operational requirements
Security considerations
Compliance obligations
Business continuity requirements
Disposal Procedures
When data is no longer required, it may be:
Securely deleted
Archived according to retention policies
Removed from active operational systems
Processed using secure disposal methods
12. Incident Response & Data Breach Management
Security Incident Handling
Potential security incidents involving data exposure are managed through:
Incident detection and monitoring
Internal escalation procedures
Containment and mitigation actions
Investigation and root cause analysis
Recovery and remediation measures
Data Breach Response Objectives
Objectives include:
Rapid containment of exposure
Protection of affected systems
Restoration of operational integrity
Preservation of audit and investigation records
13. Third-Party Data Protection
Third-party service providers may include:
Cloud infrastructure providers
Payment and integration partners
Monitoring and communication platforms
Third-party providers are expected to maintain reasonable security and operational safeguards.
14. Monitoring & Audit Controls
Monitoring controls may include:
Access logging
Infrastructure monitoring
Security event monitoring
Authentication monitoring
Operational activity tracking
Audit logs are maintained to support security investigations and operational governance.
15. Employee & Contractor Responsibilities
Personnel with access to operational systems and sensitive data are expected to:
Follow security and privacy procedures
Protect credentials and access mechanisms
Report suspicious activity promptly
Maintain confidentiality obligations
Use operational systems responsibly
16. Training & Awareness
Where applicable, personnel may receive guidance on:
Security awareness
Data handling procedures
Incident reporting processes
Access management responsibilities
Operational security practices
17. Business Continuity & Recovery Integration
This policy integrates with:
Business Continuity Planning (BCP)
Disaster Recovery Procedures
Incident Response Workflows
Infrastructure & Backup Controls
Operational Escalation Procedures
18. Continuous Improvement
Data protection controls and operational safeguards are reviewed:
Annually
Following major incidents
After operational changes
Following security assessments
After recovery or testing exercises
Operational improvements are incorporated into updated procedures and controls.
19. Compliance Statement
CeylonCash, CeyLabs, and CeyPay are committed to maintaining responsible data privacy and protection practices designed to safeguard operational, customer, and infrastructure information.
The organizations continuously improve security controls, operational safeguards, and data protection procedures in alignment with evolving operational and compliance expectations.