Governance, Risk, and Compliance (GRC)

What Is Governance, Risk & Compliance (GRC) at Quick Heal and Seqrite?

At Quick Heal and Seqrite, Governance, Risk, and Compliance (GRC) is the structured framework through which cybersecurity responsibilities are defined, risks are identified and managed, and regulatory and contractual obligations are addressed.

Quick Heal delivers cybersecurity solutions for consumers and small businesses, while Seqrite serves enterprises, critical infrastructure, and government organisations. Both operate under a unified GRC approach focused on accountability, resilience, and trust.

Why Is GRC Important for Quick Heal, Seqrite, and Their Customers?

A strong GRC framework enables:

• Responsible decision-making in cybersecurity operations
• Proactive identification, assessment, and mitigation of cybersecurity risks
• Consistent compliance with applicable legal and regulatory standards
• Sustained trust with consumers, enterprises, government bodies, and investors

GRC ensures cybersecurity is managed as a long-term organisational responsibility rather than a reactive technical function.

What is Quick Heal & Seqrite’s GRC framework?

Governance

IT Strategy & IT Policies

IT Strategy defines the long-term direction for how technology enables business objectives, while IT Policies establish the rules and standards for how IT systems are used, governed, and protected on a day-to-day basis.

Leadership and Oversight

Leadership and Oversight ensure effective governance by setting the “tone at the top,” assigning ownership for risk and compliance, and providing direction, supervision, and accountability across the organization.

Risk

Threats and Vulnerabilities

A threat is a potential cause of harm, a vulnerability is a weakness that can be exploited, and risk arises when a threat exploits a vulnerability.

Risk Assessment

Risk Assessment is the structured process of identifying, analyzing, and evaluating risks that could impact business objectives, security, compliance, and operations.

Performance Monitoring

Performance Monitoring measures how effectively governance, risk, and compliance controls operate in practice and whether they deliver the intended outcomes.

Compliance

Regulatory Requirements

Regulatory Requirements are the laws, regulations, standards, and contractual obligations that the organization must comply with to operate legally, ethically, and responsibly.

Data Protection

Data Protection focuses on safeguarding personal, sensitive, and business-critical data through appropriate technical and organizational controls while meeting applicable legal and regulatory obligations.

Audits and Reporting

Audits and Reporting provide independent assurance and transparency into the effectiveness of governance, risk management, and compliance controls.

Business Continuity

Business Continuity is the organization’s ability to continue delivering critical products and services during and after disruptive events.

Accountability

Accountability ensures clear ownership and responsibility for governance, risk, and compliance decisions and outcomes across the organization.

Integrity

Integrity reflects a commitment to ethical, honest, and transparent conduct in managing governance, risk, and compliance activities.

Security

Security encompasses the policies, controls, and practices that protect information, systems, products, and data from threats while ensuring compliance with applicable laws and standards.

How Is Cybersecurity Governance Defined at Quick Heal and Seqrite?

Cybersecurity governance defines how security-related decisions are made, approved, implemented, and reviewed across the organisation.

The governance framework includes:

• Clearly defined roles and accountability for information security
• Documented and approved Information Security Management Systems, Business Continuity, Security Incident Management & Data Privacy & Protection policies
• Privacy by Design and Security by Design Product Development Lifecycle (SDLC)
• Oversight mechanisms to review security posture and risk exposure

This governance structure supports both consumer-grade security at scale and enterprise-level control and visibility.

Does Quick Heal Have a Formally Approved Information Security and Business Continuity Policy?

Yes. Quick Heal maintains documented Information Security Management Systems and Business Continuity policies that are:

• Formally approved by the appropriate internal authorities
• Established to guide secure operations and operational resilience
• Reviewed periodically to ensure continued relevance

Policy review frequency is defined internally and aligned with organisational governance and risk management practices.

How Are Information Security and Business Continuity Policies Communicated Within Quick Heal?

Information security and business continuity policies are communicated internally through:

• Formal policy documentation accessible to relevant employees
• Internal communication channels and onboarding processes
• Role-specific awareness initiatives aligned with job responsibilities

This ensures that employees understand their obligations related to security, continuity, and resilience.

Does Quick Heal Provide Information Security, Business Continuity, and Data Privacy Training to Employees?

Yes. Quick Heal provides internal training and awareness initiatives covering:

• Information security principles and secure best practices
• Business continuity, operational resilience awareness
• Data privacy awareness and responsibilities relevant to employee roles
• Compliance and Regulatory Requirements
• Phishing and Social Engineering Attacks
• Physical Security
• Remote Work Security
• Security Incident Reporting
• Security Best Practices and Tips

These initiatives reinforce compliance with internal policies and support a security-conscious organisational culture.

How Does Quick Heal Identify, Assess, and Manage Cybersecurity and Privacy Risks?

Quick Heal and Seqrite follow a structured enterprise risk management (ERM) approach aligned with ISO 31000 and COSO ERM frameworks.

Key Risk Categories We Manage:

• Product & Technology Risks
• Cybersecurity & Data Protection Risks
• Regulatory & Compliance Risks

Risk management activities include:

1. 1. Risk Identification
2. 2. Risk Assessment (Impact × Likelihood)
3. 3. Risk Mitigation & Controls
4. 4. Continuous Monitoring
5. 5. Executive R

Does Quick Heal Conduct Risk Assessments and Business Impact Analysis (BIA) for Customer Services?

Yes. Quick Heal conducts risk assessments that consider:

• Information security risks
• Business continuity and operational risks
• Data privacy risks
• Regulatory and Compliance Risks

Business Impact Analysis (BIA) for services offered to customers consider:

• Critical services and their recovery requirements

These assessments support resilience planning and informed decision-making.

How Are Product and Technology Risks Managed?

Product and technology risks are managed through:

• Secure-by-design product architecture
• Product Governance Decks that also contain risks for tracking & mitigation
• Controlled scanning and telemetry mechanisms that minimise performance impact
• Risk-based security scoring is designed as an indicative metric rather than a deterministic decision engine
• Continuous improvement based on threat intelligence, research, and customer feedback

Performance, accuracy, and reliability considerations are balanced with security effectiveness, including optimisation for budget and resource-constrained devices.

Which Standards and Regulations Does Quick Heal Align With?

Quick Heal and Seqrite align with applicable Indian and global standards and regulatory requirements, including:

• ISO/IEC 27001 – Information Security Management Systems
• ISO 20000-1 – IT Service Management Systems
• ISO 9001 – Quality Management Systems
• SOC 2 – SaaS Security and Trust Principles
• Digital Personal Data Protection (DPDP) Act, 2023 (India)
• GDPR – EU General Data Protection Regulation
• CERT-In Directions – Cyber Incident Reporting and Response

Compliance obligations are integrated into governance, risk management, and operational processes.

Is There an Appointed Person Responsible for Data Privacy at Quick Heal?

Yes. Quick Heal has a designated role responsible for overseeing data privacy governance within the organisation.

This role supports:

• Alignment with applicable data protection requirements
• Oversight of privacy-related policies and practices
• Handling of data privacy queries and escalations

The function operates within the broader governance and compliance framework.

Does Quick Heal Maintain Data Flow Diagrams (DFDs) for Customer Data?

Yes. Quick Heal maintains documentation, including Data Flow Diagrams (DFDs), that describe how data moves across systems and services.

These diagrams support:

• Understanding of data processing activities
• Identification of security and privacy controls
• Risk assessment and compliance efforts

DFDs are prepared and maintained as part of internal governance processes.

How Does Quick Heal Approach Customer Data Protection and Privacy?

As a cybersecurity provider, Quick Heal recognises its responsibility to protect customer data through secure, transparent, and responsible practices.

What Types of Customer Data May Be Processed?

Depending on the product or service, limited categories of data may be processed, such as:

• Customer account and contact information
• Device and system identifiers required for security functionality
• Security telemetry related to threat detection and prevention
• Product usage data for performance and reliability improvement

No personal communications, messages, file contents, or unrelated user content are parsed or stored. Data unrelated to cybersecurity operations is not collected.

For What Purposes Is Customer Data Used?

Customer data is used strictly for:

• Delivering cybersecurity protection and threat prevention
• Detecting, analysing, and responding to malicious activity
• Maintaining product functionality and updates
• Providing customer support
• Meeting legal and regulatory obligations

Customer data is not used for advertising profiling or unrelated commercial purposes.

How Is Customer Data Stored and Secured?

Customer data is protected using technical and organisational safeguards, including:

• Secure storage environments with controlled access -

  No messages or user details are parsed or stored on the server or local device. Quick Heal Does Not have access to any message, OTP, or personal information in any format. Data at rest and data in motion are encrypted. We are SOC2 & ISO27001:2022 (2022 covers data privacy & threat prevention) certified.

  All message parsing happens only at the device level — no parsing takes place over the internet. During parsing, the app only looks for URLs and OTP patterns (regex).

  If a URL is detected, only the URL is sent to the server for verification. At no point are the message contents read, transmitted, or stored — either locally or over the internet.

• Encryption and integrity protections where applicable -

  Data at rest and data in motion are encrypted. We are SOC2 & ISO27001:2022 (2022 covers data privacy & threat prevention) certified.

• Segregation of customer data
• Periodic security reviews and internal controls -

  Access is restricted to authorised personnel with legitimate business needs.

How Long Is Customer Data Retained?

Customer data is retained:

• Only for as long as necessary to fulfil the purpose of collection
• In accordance with contractual, legal, and regulatory obligations
• Based on defined retention and secure deletion practices

Data that is no longer required is securely deleted or anonymised.

Is Personally Identifiable Information (PII) Stored on Quick Heal Activation Servers?

Yes. Limited Personally Identifiable Information (PII) is stored on Quick Heal Activation Servers strictly for product activation and license management purposes.

The following information may be stored in encrypted form:

• User’s Name
• User’s Mobile Number
• User’s Email Address

These details are required solely to enable product activation, license validation, and license transfer services. No PII is stored in plain text.

All data at rest and data in transit are encrypted, and access is restricted through controlled, role-based mechanisms.

PII handling and storage practices are aligned with applicable data protection regulations, including the Digital Personal Data Protection (DPDP) Act, 2023 (India), and GDPR.

Quick Heal’s information security and privacy controls are independently validated through SOC 2 and ISO/IEC 27001:2022 certifications, which include controls related to data protection, privacy, and threat prevention.

Under What Conditions Is Customer Data Shared?

Customer data may be shared only under controlled circumstances, such as:

• With trusted service providers supporting operations
• When required by law or regulatory authorities
• In aggregated or anonymised form for security research

Customer data is not sold.

What Rights Do Customers Have Regarding Their Data?

Customers may:

• Request information about their data
• Seek correction or deletion where applicable
• Raise data privacy concerns through designated channels

Clear processes exist to handle such requests.

Our Commitment

Whether protecting individual users or supporting large-scale digital ecosystems, Quick Heal and Seqrite remain committed to strong governance, proactive risk management, regulatory responsibility, and respect for customer privacy.