Introduction & Scope
This policy outlines how Quisitive Businesses LLP collects, uses, protects, and manages information as part of our end-to-end managed IT services — including 24×7 Network Operations Centre (NOC), Security Operations Centre (SOC), cloud services, data centre consultancy, and all related consulting and managed infrastructure services.
All services are delivered under certified management systems: ISO 9001:2015 (Quality Management), ISO/IEC 27001:2022 (Information Security Management), and ISO/IEC 20000-1:2018 (IT Service Management) — independently audited and maintained as active operational frameworks, not filed-away certifications.
This policy applies to: all clients, prospective clients, website visitors, and third parties who interact with Quisitive Businesses LLP through any channel — including our website, managed service agreements, consulting engagements, and direct communications.
This document should be read alongside our Cookie & Consent Notice, which covers the specific data we collect through our website, lead forms, and chat assistant, and the rights you have over that data.
Services Covered by This Policy
This privacy policy and disclaimer applies to all services operated and delivered by Quisitive Businesses LLP. The following service lines and operational activities are explicitly within scope:
Data Collection
In the course of delivering managed services, Quisitive Businesses collects and processes only the data strictly necessary for monitoring network health, security posture, performance optimisation, and service availability. We operate on a principle of data minimisation — collecting the least amount of data required to fulfil the operational purpose.
| Data Category | What Is Collected | Purpose |
|---|---|---|
| System & Network Telemetry | Interface utilisation, error rates, latency, SNMP data, syslog events, NetFlow records, hardware health indicators | Network operations monitoring, fault detection, capacity planning |
| Security Event Data | SIEM logs, IDS/IPS alerts, firewall events, authentication logs, endpoint telemetry | Threat detection, incident investigation, security operations |
| Performance Metrics | CPU, memory, disk utilisation, application response times, availability data | Performance management, SLA compliance measurement |
| Configuration Data | Device configurations, firmware versions, change records | Change management, configuration baseline, audit support |
| Incident Records | Incident tickets, timestamps, resolution notes, escalation records | Incident management, root cause analysis, SLA reporting |
We do NOT access: personal user content, private emails, internal business documents, confidential communications, or any data that is not directly relevant to the operational monitoring and security scope defined in the service agreement — unless explicitly authorised in writing under a documented incident investigation or regulatory requirement.
Protection & Security Controls
All data collected and processed in the course of service delivery is protected through a comprehensive set of technical and organisational controls, governed by our ISO 27001:2022-certified Information Security Management System.
All monitoring logs, telemetry data, and operational records are encrypted using industry-standard protocols — both during transmission and in storage.
Access to client environment data is strictly limited to authorised and certified engineers with documented need-to-know. RBAC is enforced at the platform level.
All administrative sessions involving client environments are logged and auditable — providing a complete, tamper-evident record of every access event.
All personnel with access to client environments and data are bound by formal confidentiality agreements — in addition to standard employment confidentiality obligations.
Internal security audits are conducted on a scheduled basis to verify that controls are operating as designed and to identify any emerging gaps or improvements required.
A formal information security risk register is maintained and reviewed regularly. Identified risks are assessed for likelihood and impact, and treated according to documented procedures.
Compliance & Certifications
Our management systems are built to align with and support the following standards and regulatory frameworks. Where a framework is listed, our operational practices are designed to meet its requirements within our scope of service delivery.
| Standard / Framework | Our Position | Relevance |
|---|---|---|
| ISO/IEC 27001:2022 | ✅ Certified — independently audited Feb 2026 | Information Security Management System — governs how we protect all data in our care |
| ISO 9001:2015 | ✅ Certified — independently audited Feb 2026 | Quality Management System — governs consistent, documented service delivery processes |
| ISO/IEC 20000-1:2018 | ✅ Certified — independently audited Feb 2026 | IT Service Management System — governs the full lifecycle of managed IT service delivery |
| SOC 2 Type II | 🔄 Certification in progress | Independent attestation of security, availability & confidentiality controls over time |
| CERT-In Empanelment | 🔄 Empanelment in progress | Government of India recognition for IT security auditing — required for regulated sector clients |
| DPDP Act 2023 | Operational alignment — practices designed to comply | India's Digital Personal Data Protection Act — governing personal data collected through our website and services |
| IT Act 2000 / IT Amendment Act 2008 | Operational alignment | India's primary information technology legislation — governing data processing, security, and breach obligations |
| PCI-DSS, HIPAA, GDPR | Platform support capability | Our platforms and practices support client compliance with these frameworks — final compliance accountability remains with the client organisation |
Important: While our monitoring platforms and operational practices are designed to support client compliance with frameworks such as HIPAA, GDPR, PCI-DSS, and SOC 2 — final compliance accountability and regulatory readiness for these frameworks remain the responsibility of the client organisation. We act as a data processor under our contractual obligations.
Data Ownership & Retention
Clients retain full and exclusive ownership of their infrastructure, configuration data, logs, and all data generated within their environments. Quisitive Businesses acts strictly as a data processor — processing data on your behalf, under your instruction, and within the scope defined by the service agreement.
| Data Type | Ownership | Retention Period |
|---|---|---|
| Network and security monitoring logs | Client | 90 days by default; extended retention available on request |
| Incident tickets and resolution records | Client | Duration of service contract + 12 months |
| Configuration backups | Client | Duration of service contract; full export provided on termination |
| SLA and performance reports | Client | Duration of service contract + 12 months |
| Operational runbooks and environment documentation | Client | Provided to client in full on service termination |
On termination: A complete export of all client-owned data held in our systems will be provided within 30 days of a formal written termination request. Data will be securely deleted from our systems within 60 days of confirmed export, unless a longer retention period is required by law.
Disclaimer
The information contained in this document reflects standard operational practices and does not constitute legal advice. Nothing in this policy or in any service documentation produced by Quisitive Businesses LLP should be construed as a legal opinion or as a guarantee of regulatory compliance on behalf of the client.
No technology guarantees absolute protection. While we deploy advanced monitoring systems, professional-grade security tooling, and certified operational processes — no technology or operations function can guarantee 100% protection against zero-day vulnerabilities, novel attack vectors, force majeure events, natural disasters, or unforeseen catastrophic hardware failures. We commit to detecting and responding within our contractual SLAs — we do not guarantee that every threat will be prevented.
Our services are designed and delivered to the highest professional standard — backed by independent certification and contractual SLA commitments. However, the operational security of any environment is a shared responsibility between the service provider and the client organisation. The effectiveness of our services depends in part on the client fulfilling its own responsibilities, as detailed in Section 8 below.
Client Responsibilities
Effective managed security and infrastructure operations require a partnership between Quisitive Businesses and the client organisation. The following responsibilities remain with the client and are not assumed by Quisitive Businesses under a standard service agreement:
🔑 Access & Credential Management
- Maintaining secure credentials for all systems under monitoring scope
- Timely notification of credential changes that affect our monitoring access
- Restricting internal access to environments in line with their own access policies
⚡ Alert Response
- Timely response to escalated alerts requiring client-side authorisation or action
- Designating and maintaining an escalation contact available during agreed response windows
- Authorising change actions that fall outside our standard change authority
🔧 Patch Management
- Scheduling and executing patching activities within agreed maintenance windows
- Coordinating with our NOC team around patching to avoid false fault escalations
- Maintaining vendor support status for hardware and software under monitoring scope
📋 Regulatory Compliance
- Fulfilling the client's own regulatory compliance obligations under applicable law
- Providing accurate information about the regulatory environment governing their sector
- Notifying Quisitive Businesses of any regulatory changes that affect the service scope
Limitation of Liability
Quisitive Businesses LLP shall not be liable for indirect, incidental, consequential, or punitive damages — including but not limited to loss of profit, business interruption, reputational impact, regulatory penalty, or loss of data — arising from circumstances beyond our reasonable operational control, including:
- Events that occur outside our contractual SLA response windows and cannot be attributed to operational negligence on our part
- Failures resulting from the client's own infrastructure, third-party systems, or vendor components outside our managed scope
- Zero-day threats or novel attack vectors for which no effective countermeasure existed at the time of the incident
- Force majeure events — including natural disasters, power grid failures, or government-mandated actions
- Client failure to fulfil the responsibilities outlined in Section 8 above
- Accuracy or completeness of information provided by the client that affects our operational scope or configuration
Our total aggregate liability in any claim arising from a service engagement shall not exceed the total fees paid by the client in the three months immediately preceding the event giving rise to the claim, unless otherwise specified in the signed Master Service Agreement.
For binding liability terms, specific SLA remedy provisions, and data processing agreements tailored to your organisation, the signed Master Service Agreement (MSA) is the governing document. This public policy sets out general principles only.
Terms & Conditions
The following terms govern the commercial and operational relationship between Quisitive Businesses LLP and its clients. These are general terms — specific contractual provisions are contained in the signed Master Service Agreement for each engagement.
Billing & Payment
Monthly invoices are issued in advance unless otherwise agreed in writing. Payment is due within 15 days of invoice date. Delayed payments beyond the grace period specified in the MSA may trigger a service review process. Quisitive Businesses reserves the right to suspend services for non-payment following due notice.
Service Termination
Either party may terminate services with 30 days' written notice unless otherwise defined in the Master Service Agreement. Upon termination, a complete export of client-owned data will be provided upon formal written request. Quisitive Businesses will securely delete client data from internal systems within 60 days of confirmed export.
Policy Amendments
This policy may be updated periodically to reflect regulatory changes, operational developments, or technology changes. Clients will be notified of material changes via email or official communication channels with at least 14 days' notice before changes take effect. Continued engagement after notification constitutes acceptance of the revised terms.
Access & Security Standards
Limited administrative access is granted to Quisitive Businesses solely for the purposes of monitoring and service delivery within the agreed scope. All sessions are logged, auditable, and governed by role-based access control and mandatory confidentiality agreements. Access credentials are stored in encrypted vaults and rotated on a schedule defined by our ISMS.
Data Processing
Quisitive Businesses operates as a data processor under contractual obligations. Clients maintain full ownership and control of all infrastructure, configurations, logs, and business data. A formal Data Processing Agreement (DPA) is available on request and is recommended for all engagements involving personal data processing within our managed scope.
Compliance Support
Our platforms and operational practices support client compliance efforts under HIPAA, GDPR, DPDP Act 2023, PCI-DSS, and SOC 2 frameworks. We provide evidence packs, audit trails, and compliance reporting as part of our service scope. Final compliance accountability and regulatory readiness remain the responsibility of the client organisation.
Governing Law & Jurisdiction
These terms and all service agreements shall be governed by and construed in accordance with the laws of India. Any disputes arising from these terms or from service agreements shall be subject to the exclusive jurisdiction of the courts of Gautam Buddha Nagar (Noida), Uttar Pradesh, India, unless otherwise agreed in writing.
Important Notice: This public-facing document outlines general policies and operational standards. It does not replace signed contracts, Master Service Agreements, or customised SLAs. For binding contractual terms, Data Processing Agreements, or security addenda tailored to your organisation, please contact our compliance team directly.
Contact, Compliance Enquiries & Data Protection
For any questions about this policy, to request a Data Processing Agreement, to exercise your data rights, or to raise a compliance or security concern — contact our Chief Information Security Officer and Data Protection Officer directly:
Mohammad Iqbal Ahmad
Chief Information Security Officer / Data Protection Officer
Quisitive Businesses LLP
11th Floor, Tower-1, Arthia SEZ, Plot No. 21, Tech Zone-IV,
Gautam Buddha Nagar – 201301, Noida, Uttar Pradesh, India
For detailed contractual agreements, SLAs, Data Processing Agreements (DPA), and security addenda tailored to your organisation — contact the compliance team at the address above. We respond to all compliance and legal enquiries within 2 business days.