Data Security | Entigrity Services LLP

Our security posture

Four layers of defence. One unified framework.

Aligned with ISO/IEC 27001 controls and the security expectations under the U.S. FTC Safeguards Rule, IRS Publication 4557, and Indian IT Rules, 2011 and DPDP Act, 2023.

Physical security

Restricted-access secure workfloors with biometric entry
CCTV-monitored 24×7, with retention per policy
No removable media (USB, optical, mobile drives) on production floors
No personal phones, no printers on production floors
Visitor logs, escorted access, segregated visitor zones

Logical & network security

AES-256 encryption at rest; TLS 1.3 in transit
VPN-only access to partner-firm environments (RDP / VDI)
Multi-factor authentication on all administrative and remote access
Least-privilege access; periodic access reviews
Endpoint protection, patch management, host firewall
Centralized logging, SIEM-based alerting, periodic vulnerability scans

People security

Pre-employment background verification on all staff
Individual NDAs signed by every team member, refreshed annually
Annual mandatory security and data-protection training
Role-based access controls aligned to engagement and service line
Documented joiner/mover/leaver process with immediate access revocation

Engagement & contractual controls

Master Services Agreement (MSA) and engagement-level SOW with every partner firm
Mutual Non-Disclosure Agreement (NDA) executed before any data exchange
Data Processing Addendum (DPA) where required by the partner firm
Sub-processor list maintained, with prior notification of changes
Right-to-audit clause available in MSA on request

Incident response

Documented playbooks. Prompt notification. No silence.

Our Information Security team maintains a documented incident-response plan covering identification, containment, eradication, recovery, and post-incident review.

In the event of a confirmed security incident materially affecting a partner firm's data, we commit to:

Initial notification to the affected partner firm within 72 hours of confirmation
A written incident summary, including known scope, root cause, and remediation plan
Co-operation with the partner firm's regulatory notification obligations (state Attorneys General, FTC, IRS as applicable in the U.S.)
Notification to relevant Indian authorities, including CERT-In, in accordance with the IT Act and DPDP Act

Framework alignment

ISO/IEC 27001 controls✓

FTC Safeguards Rule (U.S.)✓

IRS Publication 4557✓

IT Rules 2011 (India)✓

DPDP Act, 2023 (India)✓

CERT-In reporting✓

Operating model

How we work in your environment, not ours.

We work inside your systems

Wherever possible, our team accesses your environment via VPN / RDP / VDI, so client data remains within your perimeter — we view but do not extract.

Where extraction is needed

Data leaves your environment only when explicitly required for processing (e.g., tax-preparation software input) and is held in encrypted form, with access limited to the engagement team.

Data minimization

We request only the data needed for the engagement scope. Out-of-scope data is returned or securely destroyed in accordance with the agreed retention schedule.

Sub-processors

Limited to essentials (secure hosting, communication, professional advisors). A current list is available on request and updated changes are notified to partner firms in advance.

Audit & assurance

Right-to-audit provisions are available in our MSA on request. We are willing to complete partner-firm security questionnaires and provide evidence of controls.

Continuity

Daily encrypted backups, documented business-continuity and disaster-recovery procedures, and periodic restoration testing.

Your client data is treated like our own — only safer.