See How We Secure Your Data
Protecting data is a fundamental responsibility embedded into how we design, develop, test, deploy, and support technology solutions. As a global technology services provider operating across multiple jurisdictions, we recognize the critical importance of data security, privacy protection, and regulatory compliance.
1. Our Security & Trust Philosophy
We follow a security-by-design and privacy-by-default approach across all services. Security is not a one-time activity but a continuous lifecycle process integrated into our technical, organizational, and governance frameworks.
Our approach is guided by:
- Confidentiality, integrity, and availability of data
- Risk-based security controls aligned with industry best practices
- Compliance with applicable global laws and standards
- Transparency and accountability toward clients
2. Data Protection & Privacy Principles
We process personal data and client data strictly in accordance with documented client instructions, contractual obligations, and applicable laws and regulations. Data is handled only for clearly defined and legitimate purposes directly related to the services we provide, ensuring confidentiality, integrity, and responsible use at all times.
a) Lawful, Fair, and Transparent Processing
Personal data is processed only where a valid legal basis exists under applicable data protection laws, such as contractual necessity or consent. Processing activities are limited to agreed service scopes, and transparency is maintained throughout the data lifecycle.
b) Purpose Limitation and Data Minimization
We collect and process only the minimum data necessary to fulfill service requirements. Data is not reused, repurposed, or processed for unrelated or unauthorized purposes. Where appropriate, data is anonymized or pseudonymized to reduce risk.
c) Accuracy and Controlled Retention
Reasonable steps are taken to ensure data remains accurate and up to date. Data is retained only for as long as necessary to meet contractual, operational, or legal obligations and is securely deleted or returned in accordance with agreed retention schedules.
d) Security, Confidentiality, and Accountability
Appropriate technical and organizational safeguards protect data against unauthorized access, loss, or disclosure. Access is restricted to authorized personnel on a need-to-know basis, supported by confidentiality obligations and continuous monitoring.
We do not sell, monetize, or misuse personal data under any circumstances.
For more details on how we collect, use, and protect personal information, please review our Privacy Policy:
https://www.tftus.com/privacy-policy
3. Global Regulatory & Legal Compliance
We operate in a global delivery environment and support clients across multiple jurisdictions. As a result, our security and data governance practices are designed to align with internationally recognized privacy, data protection, and technology governance laws, depending on the nature of services provided, client location, and categories of data processed.
Our compliance posture is risk-based and contextual, meaning controls are applied proportionately based on regulatory exposure, sensitivity of data, and contractual obligations. We continuously monitor legal and regulatory developments to ensure our practices remain aligned with evolving requirements.
Key elements of our compliance approach include:
- a) Mapping legal requirements to operational and technical controls
- b) Implementing safeguards that support multiple regulations simultaneously
- c) Ensuring contractual clarity around data processing responsibilities
- d) Supporting client compliance obligations through secure service delivery
Where applicable, we align our practices with laws such as GDPR (EU/UK), the Digital Personal Data Protection Act, 2023 (India), CCPA/CPRA (California), Israel’s Protection of Privacy Law, Mexico’s LFPDPPP, and the EU Artificial Intelligence Act. This multi-jurisdictional alignment enables us to support enterprise clients operating across borders while maintaining consistent data protection standards.
4. How We Align with Global Regulations
| Law / Regulation |
Jurisdiction |
Scope |
Key Measures Implemented |
| GDPR |
EU & UK |
Personal data protection |
Lawful processing, encryption, RBAC, incident response, confidentiality safeguards, support for data subject rights |
| DPDP Act, 2023 |
India |
Digital personal data |
Consent-based processing, purpose limitation, reasonable security safeguards, controlled retention |
| CCPA / CPRA |
California, USA |
Consumer privacy rights |
Contractual data-use limits, security safeguards, assistance with access, deletion, correction |
| Protection of Privacy Law, 1981 |
Israel |
Data protection & database security |
Administrative, technical, and physical safeguards, access controls, confidentiality |
| LFPDPPP |
Mexico |
Personal data processing |
Purpose limitation, proportionality, consent where applicable, security controls |
| EU AI Act |
European Union |
AI governance |
Risk-based AI controls, data quality, bias mitigation, transparency, human oversight |
5. Security Controls & Safeguards
| Security Domain |
Controls Implemented |
| Encryption |
TLS/HTTPS for data in transit, encryption at rest based on sensitivity |
| Access Management |
RBAC, least privilege, MFA where applicable, access reviews |
| Infrastructure Security |
Network segmentation, firewalls, monitoring, logging |
| Secure Development |
Secure coding standards, peer reviews, vulnerability testing |
| QA & Testing |
Functional, non-functional, security, compliance testing |
| Incident Response |
Detection, escalation, remediation, notification procedures |
| Business Continuity |
Backup, recovery, continuity planning |
| Vendor Risk |
Due diligence, contractual safeguards, restricted access |
| Employee Security |
Confidentiality obligations, awareness training |
6. Aligned with ISO/IEC 27001 & ISO/IEC 9001 principles
| ISO Control Domain |
Control Objective |
How We Implement and Maintain Alignment |
| Information Security Policies |
Establish management direction and commitment to security |
Documented information security and privacy policies define expectations, responsibilities, and governance across services |
| Organization of Information Security |
Assign responsibility and accountability |
Clear allocation of security, privacy, and compliance responsibilities across operational and management functions |
| Asset Management |
Protect information assets throughout their lifecycle |
Data classification, controlled access, and handling procedures aligned with sensitivity and contractual obligations |
| Human Resource Security |
Reduce risk of human error or misuse |
Confidentiality obligations, background checks where applicable, and mandatory security awareness programs |
| Access Control |
Prevent unauthorized access to systems and data |
Role-based access control, least-privilege principles, authentication safeguards, and periodic access reviews |
| Cryptography |
Protect data confidentiality and integrity |
Encryption for data in transit (TLS/HTTPS) and encryption at rest based on sensitivity and contractual requirements |
| Physical & Environmental Security |
Prevent physical access, damage, or interference |
Controlled access to offices and infrastructure, environmental safeguards, and secure equipment handling |
| Operations Security |
Ensure secure system operations |
Logging, monitoring, change management, vulnerability management, and system hardening practices |
| Communications Security |
Protect information in networks |
Secure network segmentation, firewall protections, and monitoring of network traffic |
| System Acquisition, Development & Maintenance |
Embed security into systems |
Secure SDLC practices, code reviews, security testing, and remediation of identified vulnerabilities |
| Supplier Relationships |
Protect data handled by third parties |
Vendor due diligence, contractual security obligations, and restricted third-party access |
| Information Security Incident Management |
Respond effectively to incidents |
Documented incident detection, response, escalation, remediation, and post-incident review processes |
| Business Continuity Management |
Maintain availability during disruptions |
Backup, recovery, redundancy, and continuity planning aligned with service criticality |
| Compliance |
Avoid legal and contractual breaches |
Ongoing monitoring of applicable laws, contractual compliance checks, and support for client regulatory obligations |
7. Secure Development & Testing Practices
Security is integrated throughout our software development and quality assurance lifecycle, from initial design and architecture through deployment and ongoing maintenance. We follow a structured approach to ensure that security risks are identified, assessed, and mitigated at each stage of delivery.
Our secure development and testing practices include:
- a) Adoption of secure coding and design principles
- b) Regular peer code reviews to identify logic flaws and vulnerabilities
- c) Static and dynamic application security testing, where applicable
- d) Integration of security testing within functional and non-functional QA cycles
In addition to traditional security testing, we also support:
- a) Privacy-focused testing to identify data exposure risks
- b)Accessibility and compliance-oriented testing for regulated environments
- c) Performance and resilience testing to ensure system stability under stress
Security requirements are addressed early in the project lifecycle to reduce downstream risk and are revisited throughout development to ensure ongoing alignment with client and regulatory expectations.
8. AI, Automation & Data Governance
As part of our services, we may design, test, or implement solutions involving Artificial Intelligence (AI), machine learning, automation, and data-driven systems. We recognize that such technologies introduce unique legal, ethical, and security considerations.
Our AI and automation governance framework emphasizes:
- a) Lawful and purpose-limited use of data
- b) Human oversight of AI-assisted processes
- c) Transparency and accountability in system behavior
- d) Protection against bias, misuse, and unauthorized data exploitation
Client data is not used to train public or third-party AI models unless explicitly authorized in writing. Where AI systems are involved, we apply controls aligned with the principles of the EU Artificial Intelligence Act, including risk-based assessment, data quality considerations, and safeguards to ensure reliability and security of AI outputs.
We also ensure that AI and automation tools are deployed in a manner consistent with client policies, contractual obligations, and applicable laws, supporting responsible and ethical technology use.
9. Incident Response & Business Continuity
a) Incident Response
- a) Continuous monitoring to detect potential security events
- b) Defined escalation and response procedures
- c) Containment and remediation actions to limit impact
- d) Root-cause analysis and corrective measures
Where required by law or contract, we support timely client notification and cooperation during incident investigations. Lessons learned from incidents are used to strengthen controls and improve future response readiness.
b) Business Continuity & Resilience
- a) Backup and recovery mechanisms aligned with project criticality
- b) Redundancy and failover strategies where applicable
- c) Periodic review of continuity and recovery plans
These measures help minimize disruption and support ongoing service availability in the event of system failures or external disruptions.
10. Transparency & Client Assurance
We believe that trust is reinforced through transparency, accountability, and open communication. Our approach to client assurance is designed to support enterprise governance, procurement due diligence, and regulatory scrutiny.
We provide:
- a) Clear documentation of security and data protection practices
- b) Support for client security questionnaires and compliance assessments
- c) Cooperation with audits and reviews where contractually agreed
- d) Ongoing dialogue to address evolving regulatory or risk requirements
We continuously evaluate and enhance our security and compliance posture to reflect changes in technology, law, and industry best practices, ensuring that our clients can rely on us as a secure and responsible technology partner.
11. Contact – Security & Compliance
For questions about how we secure your data or our compliance practices, please contact:
[email protected] | [email protected]
https://www.tftus.com
Important Notice
Applicability of specific laws and controls may vary depending on the nature of services, client location, and data processed. We support compliance obligations as contractually agreed with our clients.
Frequently Asked Questions (FAQs)
1. Do you comply with global data protection and privacy laws?
Yes. We align our security and data governance practices with multiple global data protection and AI governance laws, including GDPR (EU/UK), India’s Digital Personal Data Protection Act, CCPA/CPRA (California), Israel’s Protection of Privacy Law, Mexico’s LFPDPPP, and the EU Artificial Intelligence Act, depending on the nature of services, client location, and data processed.
2. How do you protect and encrypt client data?
Client data is protected using appropriate technical and organizational safeguards. Data is encrypted in transit using secure communication protocols and encrypted at rest based on sensitivity and contractual requirements. Access to data is restricted through role-based access controls, least-privilege principles, and authentication safeguards.
3. Do you sell, share, or use client data for AI training or commercial purposes?
No. We do not sell, trade, monetize, or misuse personal or client data. Client data is not used to train public or third-party AI models unless explicitly authorized in writing. Data is processed solely to deliver agreed services in accordance with contractual and legal obligations.
4. How do you handle security incidents and service disruptions?
We maintain defined incident detection, response, escalation, remediation, and notification procedures. Where required by law or contract, we support timely client communication. We also implement backup, recovery, and business continuity measures to minimize operational impact.
5. Can clients request security, compliance, or audit-related information?
Yes. We support reasonable client requests for security documentation, compliance questionnaires, and assessments as contractually agreed. Where applicable, we also cooperate with audits and due-diligence reviews relevant to the services provided.