Internal Policy

Information Technology

Venus Barter Private Limited (V MONEY)

1. Preamble / Objective

Venus Barter Private Limited ("the Company") is committed to robust, secure, and efficient use of Information Technology (IT) to support its digital lending operations through the VMoney platform. This IT Policy is formulated in compliance with RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023–2024), Scale Based Regulation Directions, and other applicable guidelines.

The Policy aims to:

  • Ensure IT governance aligned with business objectives
  • Protect customer data, systems, and operations from cyber threats
  • Manage IT risks effectively
  • Maintain business continuity and operational resilience
  • Comply with regulatory requirements for digital lending NBFCs

2. Scope

  • All IT systems, applications (including VMoney app/website), infrastructure, data, and networks
  • Employees, contractors, vendors, and third parties accessing Company IT resources
  • All phases: acquisition, development, operations, maintenance, and disposal

3. IT Governance & Organizational Structure

  • Board Oversight: The Board of Directors shall approve this Policy, review it annually, and oversee IT strategy, risks, and major incidents.
  • IT Strategy Committee: (If applicable) chaired by a Director to review IT plans and initiatives.
  • Chief Information Officer (CIO) / IT Head:Responsible for IT operations and implementation.
  • Chief Information Security Officer (CISO):Responsible for cybersecurity.
  • Roles & Responsibilities: Defined through a RACI matrix.

4. IT Risk Management & Controls

The Company conducts periodic IT risk assessments and implements controls based on risk levels, including:

  • Access Controls: Role-based access, MFA
  • Network Security: Firewalls, IDS/IPS, VPN
  • Data Protection: Encryption, masking
  • Application Security: Secure SDLC, scans
  • Endpoint Security: Anti-malware, EDR
  • Patch management and continuous monitoring

5. Information Security & Cybersecurity

  • Board-approved Cyber Security Policy
  • Regular VAPT exercises
  • Incident Response and Cyber Crisis Plan
  • Reporting of incidents to RBI
  • Employee cybersecurity awareness training
  • Third-party risk management

6. Business Continuity & Disaster Recovery (BCP-DR)

  • Annual BCP-DR testing
  • Defined RTO & RPO for critical systems
  • Regular backups with offsite/cloud storage
  • Alternate disaster recovery site

7. IT Outsourcing & Third-Party Management

  • Compliance with RBI outsourcing guidelines
  • Board approval for material outsourcing
  • No outsourcing of core functions without approval
  • Data residency in India

8. IT Operations & Change Management

  • Formal change and release management
  • Immutable audit trails
  • Internal and external audits

9. Compliance & Assurance

  • Annual independent IS audit
  • Compliance with DPDP Act, IT Act, RBI guidelines
  • Reporting of findings to Board/RBI

10. Review & Approval

  • Reviewed annually or on regulatory changes
  • Approved by the Board of Directors
  • Deviations require documented approval