Skip to content Skip to footer
Close

Data Security and Privacy Policy

1. Purpose

This Data Privacy and IT Security Policy outlines the guidelines and procedures for managing, securing, and protecting personal and financial data handled by Mercurius Advisory Services in its operations. As a firm offering tax preparation, accounting, and bookkeeping services, this policy ensures that we adhere to stringent data protection and privacy standards. It reinforces our commitment to safeguarding client data by aligning our practices with the highest standards for security, privacy, and confidentiality. It ensures that we implement robust processes to manage sensitive data and protect the rights of our clients, whether they are based locally or internationally.

2. Scope

This policy applies to all employees, contractors, and partners involved in the collection, processing, storage, and transmission of data on behalf of Mercurius Advisory Services. It covers all personally identifiable information (PII), tax-related data, financial records, and sensitive personal data collected in the course of business.

3. Data Privacy Standards

3.1 Data Collection

• Relevance: Only data strictly necessary for fulfilling tax preparation and accounting services will be collected. This includes personal information, tax returns, and financial data of clients.

• Consent: Informed consent from clients will be obtained before collecting any data.

• Third Party Data Collection: Any data shared by clients on behalf of third parties (e.g., dependents or employees of the Company) will require the client’s affirmation that appropriate consent has been obtained.

3.2 Data Use

• Purpose Limitation: Data will only be used for the purposes specified during collection. Any secondary use must be disclosed and approved by the client.

• Data Accuracy: Reasonable efforts will be made to ensure that data is accurate, complete, and up to date.

3.3 Data Retention

• Retention Period: Client data will be retained for a period of 6 months to meet operational requirements and ensure service continuity. After this period, it can be extended if agreed with the client, otherwise, the data will be securely deleted from our systems to maintain data privacy and security.

• Archiving: Archived data will be stored securely with restricted access.

3.4 Data Sharing and Transfer

• Cross-border Data Transfer: We will ensure that data transferred to / outside of India is directed only to jurisdictions that maintain appropriate data protection standards.

• Third-Party Processors: Data sharing with third-party vendors will be restricted and managed under contractual agreements ensuring compliance with privacy and security obligations.

4. Information Security Standards

4.1 Data Encryption

• Data-at-Rest: All client data stored on servers, databases, and storage devices will be encrypted.

• Data-in-Transit: Encryption protocols (e.g., TLS/SSL) will be used to protect data transmitted over public networks.

4.2 Access Control

• User Authentication: Multi-factor authentication (MFA) will be implemented for all system users accessing client data. Unique user IDs will be assigned, and access will be role-based.

• Role-Based Access Control (RBAC): Access to data will be regulated based on individual job functions, ensuring that only authorized personnel with specific roles are permitted to view or modify sensitive information.

4.3 System Security

• Firewalls and Intrusion Detection: Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) will be deployed to monitor and prevent unauthorized access.

• Patch Management: All software and systems will be regularly updated and patched to protect against vulnerabilities.

4.4 Network Security

• Virtual Private Networks (VPNs): Employees working remotely will use secure VPNs to connect to internal systems.

• Wi-Fi Security: Access to office Wi-Fi will be secured using strong encryption methods and monitored for unauthorized connections.

4.5 Physical Security

• Server Room Security: Physical access to Servers will be restricted to authorized personnel, monitored with CCTV and secured with keycard access.

• Workstation Security: All workstations and mobile devices used to access sensitive data will be secured with password protection & automatic lockout.

5. Employee Training and Awareness

• Regular training programs will be conducted to ensure that all staff are aware of their responsibilities related to data privacy and IT security.

• Employees will receive training on phishing prevention, password management, handling PII, and responding to security incidents.

6. Audits and Monitoring

• The firm will conduct internal and external audits regularly to ensure compliance with data privacy laws and IT security policies.

• Log Monitoring: Continuous monitoring of system and access logs will be performed to detect and prevent unauthorized access or breaches.

Book Free Consultation