The group policy for protecting the confidentiality, integrity and availability of the information and systems entrusted to HyperNext. It sets out how we govern security, manage risk, control access, protect data, secure our facilities and respond to incidents, aligned with the law in every jurisdiction in which we operate and with recognised international standards.
Our customers place mission-critical systems, and increasingly the models and data behind their use of artificial intelligence, in our hands. The compact between us is simple: keep that information confidential, intact and available, every hour of every day. Everything in this policy is in service of that compact.
The threat environment we operate in is real and persistent. Adversaries are well-resourced, supply chains can be exploited, and the consequences of a serious incident reach far beyond our balance sheet. We respond to that not with slogans but with engineering: a risk-based information security management system aligned to ISO/IEC 27001, facilities designed and operated to Tier IV standards, defence in depth across networks and identities, monitoring and response around the clock, and a rigorous discipline of testing what we do.
We obey the law in every jurisdiction in which we operate. For our Indian campuses that means the Information Technology Act 2000, the directions issued by the Indian Computer Emergency Response Team and the Digital Personal Data Protection Act 2023. Our international campuses follow the law that applies to them. Where customer requirements, contracts or standards are stricter, we hold ourselves to the stricter standard.
Security is not finished and never will be. We measure it honestly, audit ourselves independently, and improve it continually. We expect every HyperNext employee and every partner working with us to treat security as their personal responsibility.
| Field | Detail |
|---|---|
| Policy title | Information Security Policy |
| Classification | Public |
| Version | 1.0 |
| Effective date | February 2024 |
| Policy owner | Office of the Chief Information Security Officer |
| Approved by | The Board of HyperNext Data Center Limited |
| Next review | February 2025, or earlier on material change |
| Applies to | All HyperNext entities, their people and third parties acting on their behalf |
| Version | Summary of change |
|---|---|
| 1.0 | February 2024, initial issue, approved by the Board of HyperNext Data Center Limited. |
This policy protects the confidentiality, integrity and availability of the information and information systems that HyperNext owns or is entrusted with, including the infrastructure on which our customers run their own systems and models. It defines the minimum standard for how we govern, design, build, operate and assure information security across the group.
For our Indian campuses, Indian law applies, principally the Information Technology Act 2000 and the rules and directions made under it, the directions issued by the Indian Computer Emergency Response Team (CERT-In) and the Digital Personal Data Protection Act 2023. Our international campuses follow the law that applies to them. Where a law, a customer requirement, a contractual obligation or a recognised standard sets a stricter expectation than this policy, the stricter standard applies. This policy is aligned with ISO/IEC 27001 and is operationalised through subordinate standards, procedures and technical baselines.
An exception to a requirement of this policy may be granted only on a documented business case, with a risk assessment and a time-bound treatment plan, approved by the Chief Information Security Officer and, where the residual risk is significant, by the Audit and Risk Committee.
HyperNext runs an information security management system aligned to ISO/IEC 27001. It is risk-based, owned at executive level, overseen by the Board, and improved continually through a documented cycle of planning, operating, monitoring and review.
| Role | Responsibility |
|---|---|
| The Board | Approves this policy, the risk appetite and material policy changes; receives periodic reports on security posture and incidents. |
| Audit and Risk Committee | Reviews the ISMS, audit results, material risks and incident trends; oversees treatment of significant risks. |
| Chief Executive Officer | Accountable for information security across the business; champions the programme and ensures it is resourced. |
| Chief Information Security Officer | Owns the ISMS day to day, sets standards, advises the business, approves treatment plans and reports on posture. |
| Security operations | Monitors, detects, triages and responds to security events around the clock. |
| Service, system and information owners | Apply the controls of this policy to the services, systems and information they own; sign off on residual risk. |
| Internal audit | Provides independent assurance on the design and operation of security controls. |
| All staff and third parties | Follow the policy, complete required training, and report security concerns through the channels provided. |
The first line is the business owning and operating controls in its day-to-day activity. The second line is the security and risk functions setting standards, advising and challenging. The third line is independent internal audit, providing assurance to the Board. The structure is designed so that no single person both performs and assures the same control.
Security investment and design choices follow risk. We identify the threats to our information and services, assess their likelihood and impact, and treat them in a way that is proportionate to the risk and to the value of what is being protected.
Risks are identified against an inventory of information assets and the services that depend on them. Each risk is analysed for likelihood and impact using a defined rating scheme, considering confidentiality, integrity and availability. The inherent risk is recorded; controls are evaluated; and the residual risk is documented in the risk register together with its owner.
Risks are treated in one of four ways: reduced through additional controls, transferred where insurance or contracts make sense, avoided by stopping or changing the activity, or accepted formally where the risk is within appetite. Treatment plans have an owner, an action set, a target date and clear acceptance criteria, and progress is tracked to closure.
| Residual risk level | Authority to accept |
|---|---|
| Low | Service or system owner |
| Moderate | Chief Information Security Officer |
| High | Executive Committee |
| Very high | Audit and Risk Committee, on the Board's behalf |
The risk register is reviewed at least quarterly, on any material change, and after every significant incident. Findings from audits, penetration tests, red-team exercises and customer assessments feed back into the risk picture.
Access to systems and data is granted on the principles of least privilege and need-to-know, authenticated strongly, authorised explicitly, monitored, and removed promptly when no longer needed.
Every account in our environment has a known human or service owner and a current business justification. Identities are created, modified and removed through an HR-driven joiner, mover and leaver process, with automated provisioning where possible. Access is recertified at least every six months for standard access and every quarter for privileged access. Orphaned and dormant accounts are removed.
Multi-factor authentication is mandatory for all remote access and all privileged access. Phishing-resistant factors are used for high-risk roles. Passwords meet minimum complexity, length and rotation rules set in our authentication standard, and shared accounts are eliminated where business processes allow.
Authorisation follows role-based access control, with attribute-based controls for sensitive resources. Access is requested and approved through ticketed workflows that record the requester, the approver, the scope and the duration. Segregation of duties is enforced where any single individual could otherwise commit and conceal a material error or fraud.
Standing administrative access is minimised. Where it exists, it sits behind a privileged-access-management platform, is logged in detail, is bound to a justified task wherever practical, and is reviewed quarterly. Break-glass accounts are sealed, alerted on use and reconciled after use.
Where customers connect to manage environments they host on our infrastructure, the connection is authenticated, isolated to the customer's own resources and protected against lateral movement. HyperNext staff do not access customer environments except where the contract or the law requires, and any such access is approved, logged and reviewed.
Information is classified by sensitivity, handled and protected according to that classification, encrypted in transit and at rest, and disposed of securely at end of life.
| Class | Definition | Handling |
|---|---|---|
| Public | Information that can be freely shared. | Standard care; no restriction on distribution. |
| Internal | Information for use inside HyperNext. | Limited to staff and authorised third parties; basic protection. |
| Confidential | Information that, if disclosed, would harm HyperNext, our customers or our people. | Need-to-know; encrypted in transit and at rest; access logged. |
| Restricted | The most sensitive information, including certain personal and customer data. | Strict need-to-know; strong encryption; tight access controls; enhanced monitoring. |
Cryptographic protection uses industry-standard algorithms and key sizes defined in our cryptography standard. Data in transit uses current versions of transport-layer security and other accepted protocols; data at rest uses authenticated, strong encryption. Deprecated algorithms are phased out on a managed schedule.
Cryptographic keys are generated, stored, distributed, rotated and destroyed in line with our key-management standard. Keys for production systems are held in hardware-protected key stores. Customer-managed keys are supported where the service provides for them, with clear roles between us and the customer.
Movement of confidential and restricted information is governed by data-loss-prevention controls in line with the classification scheme. Media and equipment are sanitised or destroyed using methods that prevent recovery, and the act of destruction is recorded.
Our networks and platforms are built to contain threats, to limit blast radius and to make malicious activity visible. Defence in depth means that no single control failure exposes the whole estate.
Networks are segmented by trust zone and function, and tenant environments are isolated from one another. Inbound and outbound flows are restricted to what is required and inspected where appropriate. Egress controls limit the routes available to a compromised system.
Systems are built from hardened baselines aligned to recognised benchmarks. Default credentials and unnecessary services are removed; configurations are managed in version-controlled definitions, and drift is detected and corrected. Cloud and virtualised environments follow equivalent baselines.
The estate is continuously scanned for vulnerabilities. Findings are prioritised by exploitability and impact, and remediated on time-bound service levels by severity, with compensating controls applied where a fix cannot be deployed immediately.
Security-relevant events are collected centrally and correlated by our security information and event management platform. Endpoint detection and response, intrusion detection, network detection and anomaly analytics feed the security operations centre, which operates around the clock.
HyperNext campuses are designed and operated to Tier IV standards, with security and resilience built into the physical environment. Physical and information security work together.
Access controls are arranged in layers: perimeter, building, data hall, cage and cabinet. Each layer authenticates the individual, records the entry, and is enforced by a combination of guards, badge readers, biometrics and locks appropriate to its layer. Visitor access is pre-authorised, escorted where required, and time-limited.
Campuses are monitored by closed-circuit television with retention periods appropriate to the area, and by intrusion-detection systems on perimeters and sensitive zones. Alarms feed the security operations team.
Power and cooling are designed with concurrent maintainability and fault tolerance so the facility runs through component failures. Fire detection and suppression, water-leak detection and environmental monitoring cover the data halls and supporting plant.
High-risk physical operations, such as access to certain cages, work on critical infrastructure or movement of sensitive hardware, are subject to dual-person rules and recorded approval.
Day-to-day operations are controlled, monitored and documented; the business is designed to keep running and to recover quickly when something goes wrong.
All changes to production systems go through a defined change-management process. Changes are recorded, risk-assessed, peer-reviewed and approved before deployment; emergency changes follow a fast-track route with post-implementation review. Changes are reversible by design wherever practical.
Security and operational logs are collected from systems, applications, networks and security tools, time-synchronised, protected from tampering, retained according to a defined schedule, and monitored for indicators of compromise.
Backups follow a defined strategy: multiple copies, on different media, with at least one copy isolated from production networks. Recovery procedures are documented and tested at least annually, and restore tests are recorded.
Critical services have business-impact analysis, recovery-time and recovery-point objectives, and tested continuity and disaster-recovery plans. Our Nava Raipur campus provides a disaster-recovery footprint for our Indian operations.
Where HyperNext develops or significantly customises software for its own operations or for customers, security is built in across the lifecycle, from design to retirement.
The security of our suppliers and partners is part of our own. We assess them before we rely on them, contract clearly with them, and assure them through their life.
Suppliers are tiered by the nature and sensitivity of what they do for us. Higher-tier suppliers face deeper security due diligence, including documentary review, security questionnaires, evidence of certifications, and on-site or remote assessment.
Security and data-protection obligations are written into supplier contracts, including confidentiality, security controls, breach notification, audit rights, sub-processor controls and exit obligations.
Ongoing assurance is proportionate to the risk the supplier carries, from annual reattestation for the most critical to periodic check-ins for the rest. Issues are tracked, escalated and, where necessary, lead to corrective action or termination.
Security operations monitor for events around the clock. Incidents are handled through a defined plan that limits impact, restores services, supports affected customers and improves our defences.
| Phase | What happens |
|---|---|
| Prepare | Plans, playbooks, training, tabletop exercises and tooling. |
| Detect | Continuous monitoring; alerts triaged by the security operations centre. |
| Analyse | Severity classified; scope, impact and root cause investigated. |
| Contain | Affected systems isolated; spread blocked. |
| Eradicate | Cause removed, vulnerabilities patched, credentials rotated. |
| Recover | Services restored and verified; monitoring intensified. |
| Lessons learned | Post-incident review; corrective actions tracked to closure. |
Notification to affected customers and to regulators is made in line with contracts and applicable law, including reporting to CERT-In within the timelines that apply in India and notification under the Digital Personal Data Protection Act 2023 where personal data is involved. Where required, law enforcement is engaged.
Evidence is preserved using forensically-sound practices so that root-cause analysis is reliable and any future legal or regulatory proceedings are supported.
Technology alone does not make us secure. Our people, our partners and the assurance we hold over our controls do.
Pre-employment screening is performed for roles with access to sensitive systems and information, consistent with local law. Security awareness training is mandatory at induction and annually thereafter, with role-specific training for sensitive roles. Phishing simulations test what training teaches.
HyperNext maintains a programme of recognised certifications and attestations, which includes alignment to ISO/IEC 27001, SOC 2 and Uptime Institute Tier certification, with additions over time as customer demand and the regulatory landscape evolve.
Internal audit reviews the design and operation of security controls on a risk-based plan. External audits and customer assessments add an independent view. Findings are tracked to closure and reported to the Audit and Risk Committee.
Security questions about this policy can be sent to confidential@hypernxt.com.
This page reproduces the published policy in full. For a signed, classification-marked PDF copy for your records, audit or due-diligence pack, email governance@hypernxt.com and we will send it across.