Information Security Policy
Digital Benefits Pte Ltd (trading as WiBiz) Document Version: v1.0 Effective Date: 15 April 2026 Next Review Date: 15 April 2027 Classification: Internal Owner: Nicklaus D'Cruz, CEO
1. Purpose
This policy establishes the information security framework for Digital Benefits Pte Ltd ("WiBiz"). It defines the principles, responsibilities, and requirements for protecting the confidentiality, integrity, and availability of all information assets owned, processed, or managed by WiBiz.
This is the master policy. All sub-policies referenced in Section 9 operate under this document.
2. Scope
This policy applies to:
- All employees, contractors, and interns of WiBiz, regardless of location (Singapore HQ, Philippines remote team, and any other jurisdiction)
- All channel partners, resellers, and third-party service providers with access to WiBiz systems or data
- All information assets: customer data, client configurations, internal documents, source code, credentials, financial records, and communication logs
- All systems and infrastructure: the platform infrastructure (CRM backend), frontend hosting, payment processors, communication channels (WhatsApp, Instagram, Facebook, web chat, voice), automation tools, data sync services, and e-signature platforms
3. Management Commitment
The CEO of WiBiz commits to:
- Providing adequate resources for information security initiatives
- Ensuring security objectives are aligned with business goals
- Supporting continuous improvement of security controls
- Leading by example in following security policies and procedures
- Reviewing this policy annually and after any significant security incident
CEO Approval:
Name: Nicklaus D'Cruz Title: CEO, Digital Benefits Pte Ltd Date: _______________ Signature: _______________
4. Security Objectives
WiBiz maintains three core security objectives:
Confidentiality — Information is accessible only to those authorised to access it. Customer data, client configurations, and internal business information are protected from unauthorised disclosure.
Integrity — Information and processing methods are accurate and complete. Data is protected from unauthorised modification, and system configurations are change-controlled.
Availability — Authorised users have access to information and associated assets when required. Service uptime targets are maintained, and recovery procedures are documented and tested.
5. Roles and Responsibilities
5.1 CEO (Nicklaus D'Cruz)
- Overall accountability for information security
- Approves the information security policy and all sub-policies
- Allocates budget and resources for security initiatives
- Reviews security posture quarterly
- Final authority on risk acceptance decisions
5.2 Security Lead
- Day-to-day management of the information security programme
- Conducts risk assessments and maintains the risk register
- Manages security incident response
- Coordinates security awareness training
- Reports security status to the CEO monthly
- Manages vendor security assessments
5.3 Team Leads (Stream 1, Stream 2)
- Enforce security policies within their teams
- Ensure team members complete security awareness training
- Report security incidents and near-misses immediately
- Manage access requests for team members
- Conduct access reviews for systems under their responsibility
5.4 All Team Members (Employees, Contractors, Interns)
- Comply with all information security policies
- Complete security awareness training within 30 days of onboarding and annually thereafter
- Report security incidents, suspicious activity, and policy violations immediately
- Protect credentials and never share accounts
- Lock devices when unattended
- Use only approved tools and services for work
5.5 Third-Party Partners and Vendors
- Comply with WiBiz security requirements as specified in contracts
- Report security incidents affecting WiBiz data within 24 hours
- Submit to security assessments when requested
- Maintain their own security controls at a level consistent with this policy
6. Risk Management
WiBiz follows a four-phase risk management cycle:
6.1 Identify
- Maintain an inventory of information assets (systems, data stores, integrations, credentials)
- Identify threats and vulnerabilities through regular assessment
- Monitor threat intelligence relevant to SaaS platforms and communication channels
6.2 Assess
- Evaluate risks based on likelihood and impact (Low / Medium / High / Critical)
- Maintain a risk register with assigned owners
- Prioritise risks that affect customer data or service availability
6.3 Treat
For each identified risk, select one of four treatments:
- Mitigate — implement controls to reduce risk to acceptable levels
- Transfer — use insurance or contractual arrangements
- Accept — formally accept the risk with CEO approval (documented in risk register)
- Avoid — eliminate the activity that creates the risk
6.4 Monitor
- Review the risk register quarterly
- Reassess after any significant change (new vendor, new channel, infrastructure change, security incident)
- Track risk treatment progress in the risk register
7. Information Classification
WiBiz uses four classification levels:
| Level | Description | Examples |
|---|---|---|
| Public | Information intended for public release | Marketing materials, public website content |
| Internal | Information for WiBiz team use only | Internal SOPs, team communications, process documents |
| Confidential | Sensitive business or client information | Client configurations, pricing agreements, partner contracts, source code |
| Restricted | Highest sensitivity — regulatory or legal exposure if disclosed | Customer PII, payment data, credentials, API keys, HSKD certification records |
All information must be handled according to its classification level. When in doubt, treat information as Confidential.
8. Compliance Requirements
WiBiz operates under the following regulatory frameworks:
- PDPA (Singapore) — Personal Data Protection Act 2012. Applies to all personal data collected, used, or disclosed in Singapore. WiBiz maintains a Data Protection Officer (DPO) designation as required.
- GDPR (EU) — General Data Protection Regulation. Applies when processing personal data of EU residents, including through channel partners operating in EU markets.
- HIPAA (US) — Health Insurance Portability and Accountability Act. Applies to healthcare vertical clients in the US market where protected health information is processed.
- Indonesia PDP Law — Applies to Indonesian market operations.
- Vietnam Decree 147/2024 — Applies to Vietnamese market operations.
- A2P 10DLC (US) — Application-to-Person messaging compliance for US SMS channels.
Compliance requirements are reviewed when entering new markets or verticals. The Security Lead maintains a compliance register mapping requirements to controls.
9. Sub-Policies
This master policy is supported by the following sub-policies. Each is maintained as a separate document and reviewed on the same annual cycle.
| # | Sub-Policy | Purpose |
|---|---|---|
| 1 | Access Control Policy | User provisioning, authentication, authorisation, and access review |
| 2 | Data Protection and Privacy Policy | Personal data handling, consent, retention, and deletion |
| 3 | Acceptable Use Policy | Permitted and prohibited use of WiBiz systems and assets |
| 4 | Incident Response Policy | Detection, reporting, containment, and recovery from security incidents |
| 5 | Business Continuity and Disaster Recovery Policy | Service continuity, backup, and recovery procedures |
| 6 | Vendor and Third-Party Management Policy | Security assessment and monitoring of vendors and partners |
| 7 | Change Management Policy | Controlled changes to production systems and configurations |
| 8 | Encryption and Key Management Policy | Encryption standards, key lifecycle, and certificate management |
| 9 | Network and Infrastructure Security Policy | Network segmentation, monitoring, and perimeter controls |
| 10 | Security Awareness and Training Policy | Training requirements, phishing exercises, and awareness programme |
| 11 | Asset Management Policy | Hardware, software, and data asset inventory and lifecycle |
10. Policy Enforcement
Violations of this policy or any sub-policy may result in:
- Verbal or written warning
- Suspension of system access
- Termination of employment or contract
- Legal action where required by law
All violations are investigated by the Security Lead and reported to the CEO. Severity determines the response.
11. Policy Review
- This policy is reviewed annually or after a significant security incident, whichever is sooner
- The Security Lead initiates the review and proposes changes
- The CEO approves all changes
- All team members are notified of material changes within 5 business days
- Version history is maintained below
12. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| v1.0 | 15 April 2026 | Nicklaus D'Cruz | Initial policy |
End of Document