Security posture — for the data you trust us with.
Procurement DDQs ask about it; this page answers it. How Maxicom India protects customer data during the engagement — physical, logical, contractual. Asset-list contents, site-access details, photo evidence, certificate records — every layer of customer data we touch and what discipline we apply to each. DPDPA 2023-aligned by design, RBI IT-Risk-aware for regulated-sector engagements.
From form submission to first quote.
When you submit an asset list through /sell-to-us/, /service-request/ or /buy-from-us/, the data travels TLS 1.3 to our form-processing endpoint, lands in a queue restricted to the quotes team, and stays India-side until you become a customer.
- In-transit · TLS 1.3 with HSTS preload. No unencrypted form posts permitted.
- At-rest queue · AES-256-GCM encryption. Quote team access only — RBAC enforced.
- Backup · Daily encrypted snapshot, 30-day rolling retention.
- Cross-border · None by default. Sister-entity (UAE / India) access requires customer's explicit consent.
- Auto-purge · Non-converting enquiries auto-purged at 24 months from last contact.
Once you've signed a Statement of Work.
- ♦ NDA executed before scope discussion — bidirectional, no exceptions on regulated-sector or M&A engagements.
- ♦ Asset-list contents stored encrypted; access restricted to the named project team.
- ♦ Site-access details (codes, badges, contacts) held only as long as needed for the pickup window — typically 14 days.
- ♦ Photo evidence (pickup, transit, arrival, destruction) tagged with serials and stored against the engagement record.
- ♦ Per-job Certificate of Destruction generated once and held for 7 years (audit-defence window).
- ♦ Engagement-related email archived 7 years per India tax / accounting retention.
When we use a partner, we don't drop the chain.
Some Maxicom engagements involve sub-contractors — the secure-transport operator who runs the locked-truck uplift, the destruction operator (when the work is at an outsourced facility rather than ours), the accredited e-waste recycler at the end of the chain. Every sub-contractor we engage signs a written Data Processing Agreement that mirrors our own DPDPA 2023 obligations, restricts further sub-processing, and requires breach notification within 24 hours of confirmation.
Sub-contractor staff handling your data complete a confidentiality undertaking and are bound by the same need-to-know access discipline we apply internally.
The humans who actually touch your kit.
Background-checked, two-operator-with-witness destruction workflow, photo-evidenced sign-offs, no lone-operator policy on DPDPA 2023-sensitive jobs. The chain-of-custody isn't a slogan; it's a workflow with audit-trail at each handover.
- Background checks · Pre-engagement criminal-record review for any operator handling regulated-sector kit.
- Two-operator + witness · Required for all data destruction. Three signatures on every Certificate.
- Site-discipline training · Refreshed annually — covers DPDPA 2023, NDA, photo-evidence handling, social-engineering scenarios.
- No lone uplift · Two-person pickup on regulated-sector jobs, even where the customer's site SOP doesn't require it.
- Asset-list discipline · No printed asset lists. Digital-only, expires at engagement close.
If something goes wrong.
We have a written incident-response plan covering: detection (operator report, audit-trail anomaly, customer notification, third-party alert), containment (immediate quarantine of affected media or accounts), assessment (impact scope, data-classification, regulatory threshold), notification (customer first, Data Protection Board of India and MAS where applicable, within 72 hours of confirmation per DPDPA 2023 Part VIA), remediation (containment, technical fix, evidence preservation), and review.
We test the plan annually. We have not had a notifiable breach to date. Should one occur, you will hear from us before you hear from anyone else.
What customers typically ask — answered up front.
- ♦ Yes, we have a Data Protection Officer reachable at dpo@maxicomglobal.com.
- ♦ Yes, we maintain professional-indemnity, public-liability and transit insurance — certificates available on DDQ request.
- ♦ Yes, sub-contractors sign DPAs that bind them to our standards.
- ♦ Yes, we accept right-to-audit clauses in Statements of Work.
- ♦ Yes, we provide per-engagement evidence packs slot-ready into DPDPA 2023 / RBI IT-Risk Management framework evidence cycles.
- ♦ No, we do not sell or share customer data for marketing.
- ♦ No, we do not move asset-list data offshore by default.
- ♦ No, we do not use customer names / logos in marketing without written permission.
Maxicom India — frequently asked
Are you externally audited for information-security?
We operate to established information-security frameworks but do not currently hold a public external information-security-management-system attestation. We provide engagement-specific control attestations on DDQ request that map to your customer's audit framework.
Can we audit your destruction facility?
Yes. Right-to-audit clauses are standard in our Statements of Work. We accept on-site audit visits, third-party auditor visits, and remote evidence-pack reviews.
Do you carry insurance?
Professional indemnity, public liability, and transit insurance, all INR-denominated. Certificates issued on DDQ request.