Angel One - Share Market Trading and Stock Broking
Open Demat AccountLogin

Cyber Security Practices and Cyber Resilience

  1. The Service Agency shall treat all data and information provided by AOL, including but not limited to personal data, intellectual property, and confidential business information, as strictly confidential and shall not disclose, share, or use such data and information for any purpose other than the performance of its obligations under this Agreement. The Service Agency shall implement and maintain appropriate technical, physical, and organizational measures to protect the confidentiality, integrity, and availability of AOL's data and information, in accordance with industry best practices and applicable laws and regulations, including but not limited to relevant data protection laws/regulations. The Service Agency shall ensure that all personnel who have access to AOL's data and information are bound by appropriate confidentiality obligations and receive regular training on data protection and security practices including being prepared for any Cybersecurity threats.

  2. Service Agency shall implement and maintain an Information Security Management System (ISMS) that complies with industry-recognized standards, such as ISO 27001 or the NIST Cybersecurity Framework or their subsequent revisions, from time to time.
  3. Service Agency shall regularly assess and mitigate risks to the security of AOL data and information. This includes, but is not limited to, risks arising from cyber threats (e.g., hacking, phishing), human errors, natural disasters, malicious insiders, software vulnerabilities, and hardware failures. Such assessments shall be conducted at least annually and whenever there are significant changes to the Service Agency information systems or operations.
  4. The Service Agency shall ensure that there is no co-mingling of information/documents/records and assets of AOL and its customers with that of information/documents/records and assets of any other party. To that end, the Service Agency shall ensure that information/documents/records and assets are always segregated from the information/documents/records and assets of any other party. The Service Agency shall also ensure that strong safeguards are put in place to warrant segregation of information/documents/records and assets of AOL from that of any other party at all times.
  5. Both the parties agree to compliance with the relevant Information and cyber security guidelines issued by various regulatory bodies applicable to receiving and disclosing party including requirements with respect to retaining data within the Indian Jurisdiction and that both party shall ensure the same on an ongoing basis.
  6. The Service Agency shall provide all related forensic data, reports and event logs as required by RE/ SEBI/ CERT-In or any other government agency.
  7. The Service Agency shall regularly assess and mitigate risks to the security of their data and information, including but not limited to risks arising from cyber threats, human errors, and natural disasters.

Security Incident Reporting and Response

  1. Service Agency shall promptly report any actual or suspected Cyber Incidents, data breaches, or unauthorized access to AOL data or information systems to AOL within 4 hours of detection and provide regular updates on the investigation and remediation efforts.
  2. The Service Agency shall periodically conduct drills for testing different recovery scenarios. Additionally, backup and recovery plan of data shall also be documented to ensure that there is no data loss.
  3. The Service Agency shall implement and maintain appropriate security controls, including but not limited to access controls, network security, malware protection, secure configurations, and security monitoring and logging. Additionally, the Service Agency shall ensure that adequate controls are deployed to address virus/ malware/ ransomware attacks on servers and other IT systems. These controls may include host/ network/application based IPS, customized kernels for Linux, anti-virus and anti-malware software, etc. Anti-virus definition files updates and automatic anti-virus scanning shall be done on a regular basis.
  4. The Service Agency shall comply with their information security policies, procedures, and standards.
  5. The Service Agency will implement and maintain strict access controls, including but not limited to multifactor authentication, least privilege principles, and regular review of access rights including any remote access, to ensure that only authorized personnel have access to AOL data and information, on a need-to-know basis.
  6. The Service Agency will maintain detailed logs of all access to AOL data and information and make such logs available to AOL upon request for auditing, monitoring and investigation purposes.
  7. The Service Agency shall have plans for the timely restoration of systems affected by Cyber Incidents / attacks or breaches (for instance, offering alternate services or systems to AOL). The tests shall be designed to challenge the assumptions of response, resumption and recovery practices, including governance arrangements and communication plans.
  8. The Service Agency is advised to ensure that all logs' sources are being identified, and their respective logs are being collected. An indicative list of types of log data to be collected by Service Agency is as follows: system logs, application logs, network logs, database logs, security logs, performance logs, audit trail logs, and event logs, only if applicable and as long as storage of such logs is as per Applicable Law. Further, strong log retention policy shall be implemented as per Applicable Law and as required by CERT-In or any other government agency.
  9. Encryption and Secure Communications: The Service Agency shall use industry-standard secure encryption protocols and algorithms, which have no known open vulnerabilities, for transmitting and storing AOL data and information. Weaker versions of encryption protocols and algorithms shall not be used. The Service Agency shall implement secure communication channels, such as secure file transfer protocols (SFTP) or virtual private networks (VPNs), for the exchange of sensitive data and information with AOL. The Service Agency shall maintain and regularly update digital certificates, encryption keys, and other cryptographic materials used for securing communications and data.
  10. Vulnerability Management: The Service Agency shall implement a vulnerability management program that includes regular vulnerability scanning, risk assessment, and timely patching of identified vulnerabilities in the software, systems, and supporting infrastructure. The Service Agency shall maintain an up-to-date inventory of all software components, libraries, and dependencies used in the software, and monitor for and address any security vulnerabilities or updates in a timely manner. The Service Agency shall provide AOL with the reports on identified vulnerabilities, risk assessments, and remediation plans upon request.
  11. Physical Security: The Service Agency shall implement appropriate physical security measures to protect AOL's data and information from unauthorized access, theft, or damage. These measures shall include, but are not limited to, access controls, video surveillance, intrusion detection systems, and secure storage facilities. The Service Agency shall ensure that all physical documents, media, and equipment containing AOL's data and information are stored in secured areas with restricted access and appropriate environmental controls, such as temperature, humidity, and fire suppression. Additionally, the Service Agency shall maintain detailed logs of all physical access to areas where AOL's data and information are stored or processed. These logs shall be made available to AOL upon request for auditing and monitoring purposes.
  12. Personnel Security: The Service Agency shall conduct comprehensive background checks, including criminal record checks and employment verification, on all personnel who will have access to AOL's data and information, in accordance with applicable laws and regulations. Additionally, the Service Agency shall ensure that all such personnel receive regular security awareness training covering essential topics such as data protection, handling sensitive information, and incident reporting procedures. Furthermore, the Service Agency shall ensure that all personnel are bound by appropriate confidentiality agreements and are fully aware of their obligations to protect the confidentiality, integrity, and availability of AOL's data and information.
  13. Secure Handling and Disposal: The Service Agency shall implement secure handling procedures for any physical documents or media containing AOL's data and information, including but not limited to secure transportation, handling, and storage practices. Additionally, the Service Agency shall implement secure disposal procedures for any physical documents or media containing AOL's data and information, such as shredding, degaussing, or secure erasure, to ensure that the data and information cannot be recovered or reconstructed. Furthermore, the Service Agency shall maintain detailed logs of all handling and disposal activities related to AOL’s data and information and make such logs available to AOL upon request for auditing and monitoring purposes.
  14. Third-Party Service Providers: If the Service Agency engages any third-party service providers or subcontractors to perform services involving the handling of AOL's data and information, the Service Agency shall ensure that such third parties comply with the same security requirements and obligations as set forth in this Agreement. The Service Agency shall conduct due diligence on any third-party service providers or subcontractors to assess their security practices, certifications, and compliance with relevant standards and regulations. The Service Agency shall remain fully responsible and liable for the acts and omissions of its third-party service providers or subcontractors concerning the security and protection of AOL's data and information.
  15. Security Awareness and Training: The Service Agency shall provide regular security awareness and training programs to all personnel involved in the handling of AOL's data and information, covering topics such as data protection, incident response, secure handling and disposal procedures, and relevant security policies and procedures. The Service Agency shall maintain detailed records of security awareness and training activities, including attendance logs, training materials, and assessments, and make such records available to AOL upon request for auditing and monitoring purposes.

Data Protection

  1. The Service Agency shall treat all data and information provided by AOL including but not limited to personal data, intellectual property, and confidential business information, as strictly confidential and shall not disclose, share, or use such data and information for any purpose other than the performance of its obligations under this Agreement.
  2. The Service Agency shall implement and maintain appropriate technical, physical, and organizational measures to protect the confidentiality, integrity, and availability of AOL’s data and information, in accordance with industry best practices and applicable laws and regulations, including but not limited to relevant data protection laws/regulations.
  3. The Vendor shall ensure that all personnel who have access to AOL's data and information are bound by appropriate confidentiality obligations and receive regular training on data protection and security practices.
  4. Not to transfer Personal Data to a third country or an international organization without the prior written consent of AOL and ensuring compliance with applicable Data Protection Laws.
  5. Issue a certificate certifying compliance with this clause as and when requested by AOL.
  6. Inform AOL in case of any breach and shall cooperate with AOL to respond to and remediate such data breach by providing AOL with sufficient information to allow AOL to meet any obligations to report or inform Data Subjects of the Personal Data breach under the Data Protection Laws. Notwithstanding anything to the contrary herein, the Service Agency shall be responsible for the cost of remediating such data breach and shall pay AOL for all damages and data breach costs incurred without any limitation of liability.
  7. Assist AOL in conducting data protection impact assessments when required by applicable Data Protection Laws. This includes providing necessary information and support to assess the impact of the processing operations on the protection of Personal Data.
  8. This clause shall survive post the termination or expiration of the Agreement.
  9. Maintain records of all processing activities conducted on behalf of AOL.

Audit And Inspection

  1. Service Agency shall allow AOL, its representatives, or an independent auditor mandated by AOL, to conduct audits and inspections of the Service Agency’s systems, processes, facilities, and Personnel involved in handling AOL’s data and information.
  2. Forensic Audit: AOL shall have the right to engage a forensic auditor to identify the root cause of any incident (Cybersecurity or other incidents) related to AOL. The Service Agency and its subcontractors/vendors shall fully cooperate with such forensic audit, providing access to all relevant information, data, and resources.
  3. Audits shall be conducted during regular business hours and upon reasonable prior notice, unless circumstances require immediate access. The Service Agency shall provide full cooperation, including access to information, access to Personnel, systems, facilities, and Personnel necessary for the audit or inspection, and shall make available detailed and accurate records.
  4. The Service Agency shall promptly address and remediate any issues or non-compliance identified during an audit or inspection and provide AOL with a detailed report on the findings, remediation actions taken, and timelines for completion. Each Party shall bear its own costs related to the conduct of audits and inspections unless otherwise agreed in writing.
  5. All information obtained during the audit or inspection shall be treated as confidential and used solely for assessing compliance with this Agreement and applicable Data Protection Laws. The Parties shall ensure that any third-party auditors are bound by confidentiality obligations.
  6. Any costs and expenses incurred by the Service Agency in facilitating audits and information access shall be borne by the Service Agency, unless otherwise agreed upon in writing by both parties.

Additional Clauses for Software Procured

  1. Software Bill of Materials (SBOM) and Source Code Escrow:
    • The Service Agency shall provide AOL with the software bill of materials (SBOM) and details of the source code escrow arrangement, or other equivalent arrangements, for the Software provided. This information will allow AOL to identify any potential vulnerabilities and threats.
    • In the event of any update or change to the Software, the Service Agency shall provide AOL with an updated SBOM within two (2) working days.
  2. Software Certifications: All software services rendered, and Software provided by the Service Agency shall be certified for application security and functional audit.
  3. Secure IT Infrastructure: The Service Agency shall ensure that its IT infrastructure adheres to the principles of "secure by design" and "secure by engineering/implementation." Additionally, the infrastructure shall have appropriate elements to ensure "secure IT operations."
  4. Software Vulnerability Remediation: The Service Agency shall promptly address and remediate any identified software vulnerabilities or security flaws within a reasonable timeframe mutually agreed upon with AOL.
Software Development Life Cycle (SDLC)
    • The Service Agency shall implement secure software development life cycle (SDLC) practices throughout the software development process.
    • The Service Agency shall promptly address and remediate any identified software vulnerabilities or security flaws within a reasonable timeframe agreed upon with AOL.
    • The Service Agency shall provide AOL with detailed information about the security architecture, design, and implementation of the software, including security controls, encryption mechanisms, and data flow diagrams.
Secure Development and Deployment Practices
    • The Service Agency shall follow secure SDLC practices, including but not limited to:
      • Requirements analysis
      • Secure design
      • Secure coding
      • Code reviews
      • Testing
      • Secure deployment processes
    • The Service Agency shall implement secure configuration management practices, including:
      • Version control
      • Change management
      • Separation of environments (development, testing, enhancements, and production)
    • The Service Agency shall maintain detailed documentation of the software development and deployment processes, including security controls, configurations, and changes made throughout the SDLC.
Security Testing and Assurance
    • The Service Agency shall conduct regular security testing on the software, systems, and supporting infrastructure, including but not limited to:
      • Penetration testing
      • Vulnerability scanning
      • Security code reviews
    • The purpose of this testing is to identify and address potential security weaknesses or vulnerabilities.
    • The Service Agency shall provide AOL with detailed reports on the security testing activities, findings, and remediation plans.
    • The Service Agency shall obtain AOL's approval before implementing any high-risk remediation actions.
    • The Service Agency shall engage independent third-party security assessments or audits as required.

Additional Clauses for Secure Cloud Services / SAAS / CSP

  1. Service Agency shall ensure that appropriate security controls are in place, including but not limited to logical separation of data, secure multi-tenancy, role-based access controls, and compliance with relevant cloud security standards and best practices.
  2. Service Agency shall provide detailed information about the cloud architecture, security controls, data segregation mechanisms, and redundancy measures implemented to ensure the security and availability of AngelOne data and systems hosted in the cloud.
  3. The Service Agency shall ensure that all data and information belonging to AngelOne is stored and processed within the legal boundaries of India and shall obtain AngelOne prior approval for any cross-border data transfers.
  4. The CSP shall be MEITY empaneled with the CSP's data centre holding valid STQC audit status. The CSP shall support for conducting any additional audits (from CERT-In empaneled Auditors), as demanded by AngelOne, to fulfil the regulatory requirements in a reasonable time frame as defined in various circular issued by SEBI from time to time.
  5. In multi-tenant cloud architecture, CSP shall implement adequate controls to ensure that data ((in motion, at rest and in use) shall be isolated and inaccessible to any other tenant.
  6. CSP shall ensure AngelOne data shall be encrypted at all lifecycle stages (at rest, in motion and in use), source or location to ensure the confidentiality, privacy and integrity.
  7. In case of exit CSP shall support for a exit plan with complete handover of all AngelOne data, without hindering any legal, regulatory or technical obligations of AngelOne.
  8. CSP shall immediately notify AngelOne on losing its empanelment status with MeitY.
  9. CSP shall be responsible for conducting audit / VAPT of the services / components managed by CSP.
  10. There should be explicit and unambiguous delineation/demarcation of responsibilities for all activities (technical, managerial, governance related, etc.) of the cloud services between the AOL and CSP (and MSP/SI wherever applicable).
<\section>
4.4 Cr+DOWNLOADS
Start an SIP at just ₹100!

Get the link to download the App

QR Code
Download Angel One App on Google Play StoreDownload Angel One App on App Store
Open Free Demat Account!
Join our 3.5 Cr+ happy customers
Angel One Logo
About Us

Trusted by over 3.5 Cr+ clients, Angel One is one of India’s leading retail full-service broking houses. We offer a wide range of innovative services, including online trading and investing, advisory, margin trading facility, algorithmic trading, smart orders, etc. Angelone App is a powerhouse of cutting-edge tools such as basket orders, GTT orders, SmartAPI, advanced charts and others that help you navigate capital markets like a pro.

CUSTOMER SUPPORT :
FOLLOW US :
  • follow us on LinkedIn
  • follow us on Facebook
  • follow us on Youtube
  • follow us on Twitter
  • follow us on Instagram
  • follow us on Google News
  • follow us on Google source
Attention Investors

Stock Brokers can accept securities as margin from clients only by way of pledge in the depository system w.e.f. September 1, 2020.

  • Update your mobile number & email Id with your stock broker/depository participant and receive OTP directly from depository on your email id and/or mobile number to create pledge.
  • Pay 20% or "var + elm" whichever is higher as upfront margin of the transaction value to trade in cash market segment.
  • Investors may please refer to the Exchange's Frequently Asked Questions (FAQs) issued vide circular reference NSE/INSP/45191 dated July 31, 2020 and NSE/INSP/45534 dated August 31, 2020 and other guidelines issued from time to time in this regard.
  • Check your Securities /MF/ Bonds in the consolidated account statement issued by NSDL/CDSL every month.
Prevent Unauthorised transactions in your Trading/Demat Account. Update your mobile numbers/email IDs with your stock brokers/Depository Participant. Receive alerts/information of your transaction/all debit and other important transactions in your Trading/ Demat Account directly from Exchange/CDSL at the end of the day. Issued in the interest of investors.
KYC is one time exercise while dealing in securities markets - once KYC is done through a SEBI registered intermediary (broker, DP, Mutual Fund etc.), you need not undergo the same process again when you approach another intermediary.
No need to issue cheques by investors while subscribing to IPO. Just write the bank account number and sign in the application form to authorise your bank to make payment in case of allotment. No worries for refund as the money remains in investor's account.
We understand that certain investment advisors may be approaching members of the public including our clients, representing that they are our partners, or representing that their investment advice is based on our research. Please note that we have not engaged any third parties to render any investment advisory services on our behalf. We do not share our research reports or our clients’ personal or financial data with any third parties and have not authorized any such person to represent us in any manner. Persons making investments on the basis of such advice may lose all or a part of their investments along with the fee paid to such unscrupulous persons. Please be cautious about any phone call that you may receive from persons representing to be such investment advisors, or a part of research firm offering advice on securities. Do not make payments through e-mail links, WhatsApp or SMS. Please do not share your personal or financial information with any person without proper verification. Always trade through a registered broker.
Issued in public interest by Angel One Limited, having its registered office at 601, 6th Floor, Ackruti Star, Central Road, MIDC, Andheri East, Mumbai - 400093, Telephone: +91 22 4000 3600, Fax: + 91 22 2835 8811.
Disclaimer

Investments in securities market are subject to market risk, read all the related documents carefully before investing.
We collect, retain, and use your contact information for legitimate business purposes only, to contact you and to provide you information & latest updates regarding our products & services.
We do not sell or rent your contact information to third parties.
Please note that by submitting the above-mentioned details, you are authorizing us to Call/SMS you even though you may be registered under DND. We shall Call/SMS you for a period of 12 months.
Angel One Limited, Registered Office: 601, 6th Floor, Ackruti Star, Central Road, MIDC, Andheri East, Mumbai - 400093. Tel: 18001020. CIN: L67120MH1996PLC101709, SEBI Regn. No.: INZ000161534-BSE Cash/F&O/CD (Member ID: 612), NSE Cash/F&O/CD (Member ID: 12798), MSEI Cash/F&O/CD (Member ID: 10500), MCX Commodity Derivatives (Member ID: 12685) and NCDEX Commodity Derivatives (Member ID: 220), CDSL Regn. No.: IN-DP-384-2018, PMS Regn. No.: INP000001546, Research Analyst SEBI Regn. No.: INH000000164, Investment Adviser SEBI Regn. No.: INA000008172, AMFI-registered Mutual Fund Distributor - ARN-77404, (Date of initial Registration -03-12-2009, Current validity of ARN- 02-12-2026). PFRDA Registration No.19092018.Compliance officer: Mr. Bineet Jha, Tel: 18001020 Email: compliance@angelbroking.com. Only for National Pension Scheme (NPS) related grievances please mail to NPSgrievances@angelbroking.com Grievance Redressal Officer (GRO) - Mr Karan Dalal, Mo. No : 8655719858
For issues related to cyber attacks, call us at +91-8045070444 or email us at cybersecurityissues@angelbroking.com.
For any Law Enforcement Agency notices, please reach out / send notices to legal@angelone.in
Brokerage will not exceed the SEBI prescribed limit.

Copyright - All rights reserved