Information Security Policy

Version 1.0 Effective Date 1/July/2025

This Information Security Policy is entered into by and between MOBIUS SOLUTIONS PRIVATE LIMITED ( Provider ) and Client and forms part of the Master Services Agreement. It outlines the practices and procedures adopted by Service Provider to safeguard the confidentiality, integrity, and availability of data processed through its HR and Payroll SaaS platform.

1. Encryption Standards

        All sensitive data (PII) is encrypted at rest using AES-256 encryption.

        The communication between the user machine and EazeWork servers is encrypted using an SSL 256-bit encryption provided by Comodo PositiveSSL wildcard.

        Encryption keys are managed securely using an industry-standard key management system (KMS) with role-based access and auditing.

        Critical reference IDs, system paths and system objects are masked in web application and web services to prevent any misuse.

2. Access Control Protocols

        Each company is mapped to a unique URL and all the users have a username, only when the combination of company URL, username and password are matching is the login successful.

        Role-based access control (RBAC) is enforced across all systems and applications.

        The option to assign and remove roles from an End User are with the Client Application Administrator. An audit trail is maintained of critical activities done by the End User to ensure traceability.

        The option to deactivated User accounts is available with the Client s Application Administrator

3. Password Policy

        Two-factor authentication is supported for user logins.

        User passwords will have to be eight characters with the following attributes Minimum 6 characters, 1 number, 1 special character.

        Passwords will have a 45-day expiry period by default; the expiry period can be reduced by Client Application Administrator. Password is encrypted and stored, which means that it cannot be recovered but only reset. Provider uses 128-bit encryption for password protection.

4. System Logs

        When a form moves through a workflow, the status changes are stored in the form. Through this, the usage logs are available at a process level.

        Session logs are kept for a period of 30 days.

5. Incident Response Process

        A documented Incident Response Plan is in place and reviewed annually.

        All employees are trained to identify and report security incidents through defined communication channels.

        Security incidents are classified by severity, and initial response is initiated within 1 hour for critical incidents.

        Post-incident reviews and root cause analyses are conducted to improve the response process and system resilience.

4. Third-Party Audits and Compliance

        EazeWork is ISO 27001:2022 certified.

        All vendors and sub-processors undergo a due diligence review and must meet equivalent security and compliance standards.

 

Your device is connected to the internet.
Your device lost its internet connection.
Please enable the background location permission on your Eazework mobile app.
Android user - click here
iOS user - click here