Data Storage and Security Policy

Last Updated: January 15, 2026

1. POLICY OVERVIEW AND APPLICABILITY

1.1 This Data Storage and Security Policy (“Policy”) sets out the framework, controls, and procedures governing data handling, storage, protection, and security practices adopted by Multicloud4U Private Limited (“Company”) a company incorporated under the laws of India, having its registered office at Floor 9 Tower A Spaze iTech Park Sohna Gurgaon Rd Sec 49 Gurugram Haryana 122018, Gurugram, Haryana, India (hereinafter referred to as the "Company," "we," "us," or "our") , which owns and operates the platform 5thIR.com (“Platform”).

1.2 This Policy applies to all personal data, sensitive personal data, and transactional information processed, collected, or handled by the Company in connection with its Software-as-a-Service (SaaS) offerings and associated services.

1.3 This Policy is designed to ensure strict compliance with the governing legal and regulatory frameworks in India, including but not limited to:

  • a. The Digital Personal Data Protection Act, 2023
  • b. The Information Technology Act, 2000, and the rules promulgated thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  • c. Regulatory directives and guidelines issued by the Reserve Bank of India (RBI) for online merchants, payment aggregators, and payment gateways
  • d. Principles aligned with the Payment Card Industry Data Security Standard (PCI-DSS) for handling payment-related information

2. MANDATORY DECLARATION: NO STORAGE OF PAYMENT CREDENTIALS

  • 2.1 The Company explicitly declares that it does not, under any circumstances, store, process, retain, cache, or have access to any user’s sensitive payment credentials. This includes, but is not limited to, debit/credit card numbers (in full or masked), card expiry dates, Card Verification Value (CVV), UPI PINs, banking passwords, or any other sensitive authentication data.
  • 2.2 All payment transactions initiated on the Platform are processed exclusively and entirely by RBI-authorised, PCI-DSS Level 1 compliant third-party payment gateways (e.g., PhonePe, Razorpay).
  • 2.3 The Company’s role is strictly limited to redirecting the user to the secure checkout page hosted and managed by the respective payment gateway. The Company does not control, operate, or maintain any part of the payment processing infrastructure. The security, integrity, and confidentiality of the payment transaction are the sole responsibility of the third-party payment gateway.

3. PAYMENT PROCESSING AND DATA FLOW ARCHITECTURE

  • 3.1 The payment processing mechanism is architected to ensure complete segregation of the Company’s systems from sensitive payment data flows.
  • 3.2 When a user initiates a payment, they are securely redirected from the Platform to the payment gateway's environment. All sensitive payment information is entered directly into the payment gateway's secure interface, which communicates directly with the relevant banking networks via encrypted channels.
  • 3.3 No sensitive authentication data or payment credentials traverse, are processed by, or are visible to the Company's servers or network infrastructure at any point during the transaction.
  • 3.4 Upon completion of a transaction (whether successful, failed, or pending), the payment gateway transmits a secure response to the Company’s servers. This response contains only limited, non-sensitive transactional metadata necessary for order fulfilment and record-keeping, such as: a. A unique transaction identifier; b. The transaction amount and currency; c. The final status of the transaction (e.g., success, failure); d. A merchant-specific reference ID; and e. The timestamp of the transaction.

We use cookies, web beacons, and similar tracking technologies to track the activity on our Services and store certain information. Cookies are files with a small amount of data which may include an anonymous unique identifier. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Services.

We may use third-party analytics tools such as web analytics providers to understand user engagement and improve services. These providers may use cookies or similar technologies in accordance with their own privacy policies.

Users may manage cookie preferences through browser settings. Continued use of the Services constitutes consent to such technologies as described herein.

Where required under applicable law, consent for non-essential cookies shall be obtained through appropriate user consent mechanisms.

5. DATA SECURITY CONTROLS AND TECHNICAL SAFEGUARDS

The Company implements robust, industry-standard security measures to protect all data within its control.

  • 5.1 Encryption in Transit: All data transmitted between the user's device and the Platform’s servers is encrypted using strong Transport Layer Security (TLS 1.2 or higher) protocols and industry-recognized cipher suites.
  • 5.2 Encryption at Rest: Personal data and other sensitive information stored on the Company's databases and servers are protected using strong encryption algorithms (e.g., AES-256 or equivalent), where applicable and technically feasible.
  • 5.3 Role-Based Access Control (RBAC): Access to internal systems and user data is strictly governed by the principle of least privilege. Employees are granted access only to the specific data and systems necessary to perform their designated job functions. Access rights are reviewed periodically and revoked immediately upon termination of employment or change in role.
  • 5.4 Secure Cloud Hosting: The Platform is hosted on secure cloud infrastructure provided by reputable, certified cloud service providers, which maintain high standards of physical and network security.
  • 5.5 Logging and Monitoring: The Company maintains detailed logs of system access, administrative actions, and critical events. These logs are monitored for suspicious or anomalous activity to enable timely detection of and response to potential security threats.
  • 5.6 Regular Security Assessments: The Company periodically engages in security assessments, including vulnerability scanning and penetration testing, to identify and remediate potential security weaknesses in its infrastructure and applications.
  • 5.7 Secure Development Practices: The Company follows secure software development lifecycle (SSDLC) practices, including code reviews, vulnerability management, patch management, and timely security updates to mitigate risks arising from software vulnerabilities.

6. DATA LOCALIZATION AND CROSS-BORDER TRANSFERS

  • 6.1 Primary Storage Location: All personal data collected from users in India is primarily stored and processed on servers and in data centers physically located within the territory of India.
  • 6.2 Cross-Border Transfers: The Company does not transfer personal data outside the territory of India, except where it may be necessary for the functioning of secure, redundant cloud infrastructure for temporary processing or disaster recovery. Any such temporary transfer is conducted with stringent safeguards, including end-to-end encryption and binding contractual clauses with service providers, ensuring a level of data protection compliant with Indian law. Any such processing shall be subject to contractual safeguards and internal data governance controls to ensure continued compliance with applicable Indian law.
  • 6.3 Backup Infrastructure: All data backups are stored in an encrypted state within secure, India-based data centers, ensuring compliance with data residency requirements.
  • 6.4 Third-Party Service Providers: The Company may engage trusted third-party service providers for cloud hosting, infrastructure support, analytics, monitoring, and security services. All such providers are bound by contractual confidentiality and data protection obligations consistent with applicable Indian law.
  • 6.5 Business Continuity: The Company maintains disaster recovery and business continuity measures designed to ensure resilience of critical systems and timely restoration of services in the event of system failure.
  • 6.6 No Financial Data Storage or Processing by the Company:
    • 6.6.1 The Company does not collect, store, process, transmit, retain, or have access to any financial information or sensitive payment credentials of users.
    • 6.6.2 All payment-related data, including but not limited to debit card numbers, credit card numbers, card expiry dates, CVV, UPI PINs, bank account credentials, net banking passwords, or any other sensitive authentication data, is entered directly by the user into the secure environment of the respective third-party payment gateway.
    • 6.6.3 The Company does not operate, manage, or control any payment processing infrastructure. All financial transactions are handled exclusively by RBI-authorised, PCI-DSS compliant payment gateways.
    • 6.6.4 The Company receives only limited, non-sensitive transaction confirmation details from the payment gateway, such as transaction ID, payment status, timestamp, and amount paid, strictly for order fulfilment, reconciliation, customer support, and regulatory compliance purposes.
    • 6.6.5 At no point does any financial credential traverse, reside within, or become accessible to the Company’s servers, databases, or internal systems. Users are subject to the respective terms, privacy policies, and security practices of the third-party payment gateways when completing transactions.
    • 6.6.6 The Platform does not provide financial services, lending, investment advice, payment aggregation, or banking services.
    • 6.6.7 The Platform provides AI-enabled assessment and recruitment support tools as a technology service; any fees charged, where applicable, are solely for access to assessment or platform features and do not constitute a job placement service or guarantee of employment.

7. DATA RETENTION AND DELETION

  • 7.1 Retention Policy: The Company retains personal data and transaction records only for as long as is necessary to fulfil legitimate business purposes or to comply with applicable legal, regulatory, taxation, and audit obligations. Transactional data is retained for periods mandated by Indian law for fraud prevention and financial auditing.
  • 7.2 Deletion from Active Systems: Upon receiving a lawful and verifiable request for data erasure, or when the retention period expires, the relevant data is permanently deleted from the Company's active production systems.
    • User-generated digital content will be retained for a period of up to 6 (six) months from the date of plan expiry (“Retention Period”).
    • If the user:
      • (a) Renews or re-purchases a subscription plan within the Retention Period, or
      • (b) Maintains an active account with continued platform activity,

      The Retention Period may be extended at the platform’s discretion.

  • 7.3 Deletion from Backup Systems: Following deletion from active systems, the corresponding data will be erased from backup archives in accordance with the applicable backup retention cycle. The Company does not guarantee immediate deletion from backup media due to technical constraints inherent in backup and disaster recovery protocols.
    • After expiry of the Retention Period:
      • (a) Content may be archived, anonymized, or permanently deleted in accordance with our internal data retention and backup policies.
      • (b) Archived data may not be immediately accessible to the user.
      • (c) Restoration of archived data, if technically feasible, may be subject to applicable charges and policy review.
    • The platform reserves the right to retain certain data beyond the Retention Period where required for:
      • (a) Legal, regulatory, or tax compliance
      • (b) Fraud prevention and dispute resolution
      • (c) Enforcement of contractual rights
    • Deletion requests submitted by users will be processed in accordance with applicable data protection laws and our Privacy Policy.
  • 7.4 Rights of Data Principals: Users may request access, correction, update, or deletion of their personal data, or withdraw consent for processing, by contacting [email protected] Requests shall be processed in accordance with the Digital Personal Data Protection Act, 2023.
  • 7.5 Application for deletion of your data: To delete your data from our systems you can email us at [email protected] with your registered email address.

8. FRAUD MONITORING AND ABUSE PREVENTION

  • 8.1 The Company employs a multi-layered approach to detect and prevent fraudulent activities and system abuse.
  • 8.2 Transaction Monitoring: The system analyzes transaction patterns in near real-time to identify anomalies, such as an unusual frequency or value of transactions, which may indicate fraudulent activity.
  • 8.3 Access and Activity Logging: All user login attempts, access to sensitive sections of the Platform, and significant account activities are logged with timestamps and IP addresses to create a verifiable audit trail.
  • 8.4 Automated Abuse Detection: The Platform incorporates automated mechanisms to detect and mitigate threats such as brute-force login attempts, account takeover attacks, and other forms of malicious behaviour.
  • 8.5 The Company actively monitors unusual access patterns and potential misuse of the Platform and reserves the right to suspend or terminate accounts suspected of engaging in fraudulent or unlawful activities.
  • 8.6 The Platform does not automatically access, scrape, extract, or upload contacts, call logs, messages, or device data without explicit user action and consent.

9. INCIDENT RESPONSE AND BREACH NOTIFICATION

  • 9.1 The Company has established an Incident Response Plan to effectively manage and contain any data security incidents.
  • 9.2 In the event of a data breach, the Company will initiate an internal investigation to determine the scope and impact of the incident.
  • 9.3 The Company will provide notifications to the relevant regulatory authorities (including the Data Protection Board of India and CERT-In) and affected users in accordance with the timelines and procedures stipulated under the Digital Personal Data Protection Act, 2023, and other applicable laws.
  • 9.4 The Company shall cooperate with lawful regulatory inquiries or audits concerning data security or payment processing compliance.

10. PROTECTION OF MINORS' DATA

10.1 The Platform and its services are intended for use by individuals who are eighteen (18) years of age or older.

10.2 The Company does not knowingly collect, process, or store personal data from individuals under the age of 18. If it comes to the Company's attention that personal data of a minor has been inadvertently collected, the Company will take immediate steps to delete such information from its records.

11. POLICY REVIEW AND AMENDMENTS

11.1 This Policy shall be reviewed at least annually, or more frequently in response to significant changes in the legal landscape, business operations, or technology environment.

11.2 The Company reserves the right to amend this Policy at any time. The updated Policy will be made available on the Platform.

12. GOVERNING LAW AND JURISDICTION

12.1 This Policy shall be governed by and construed in accordance with the laws of the Republic of India.

12.2 Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in Gurugram, India.

13 CONSISTENCY WITH OTHER POLICIES

13.1 This Policy is to be read in conjunction with the Company’s Privacy Policy, Terms and Conditions, and Refund Policy. In the event of any conflict or inconsistency, the provisions of this Data Storage and Security Policy shall prevail with respect to matters of data security and payment processing.

14. GRIEVANCE REDRESSAL

You may submit your grievances or complaints by contacting our Grievance Officer, who is responsible for receiving, reviewing, and resolving complaints in a fair, transparent, and timely manner.

Grievance Officer Name: Ganesh Sharma
Email: [email protected]
Phone Number: +91 8448341325

A resolution will be provided within 48 hours from the receipt of the complaint.

15. MISCELLANEOUS

15.1 Severability: If any provision of these is held to be invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the other provisions of these provision will remain in full force and effect.

15.2 Waiver: Our failure to enforce any right or provision of these provision will not be considered a waiver of those rights.

15.3 Amendments: The Company reserves the right to modify this Policy at any time to reflect changes in law, regulatory requirements, or business practices. By continuing to access or use our Platform after those revisions become effective, you agree to be bound by the revised terms.

16.CONTACT INFORMATION

Email: [email protected]
Phone Number: +91 89202 22218