Information Security Policy

1. Purpose and Scope

This Information Security Policy sets the security requirements that protect FITENABLE LLP (“FITENABLE”) information, systems and the personal data of our users, including sensitive health data.

It applies to all designated partners, employees, coaches, contractors and others who access FITENABLE systems, data or accounts (“Personnel”), and to all devices, applications, cloud services and data used for FITENABLE purposes.

2. Information Classification

Personnel must handle information according to its sensitivity:

• Public, published marketing/blog content.
• Internal, operational documents not for public release.
• Confidential, business, financial, contractual and credential information.
• Sensitive / Health, Data Principals’ health and lifestyle data and any other sensitive personal data; this is the highest-care category.

3. Access Control

Access follows least privilege, Personnel get only the access needed for their role.

Each user must have a unique account; shared logins are prohibited. Administrative access is restricted and logged.

Multi-factor authentication (MFA) must be enabled on all critical systems (hosting, code repository, email, cloud storage, payment dashboard, analytics).

Joiner/mover/leaver: access is granted on a documented basis, reviewed periodically, and revoked immediately when a person leaves or a coach engagement ends.

4. Authentication and Passwords

Passwords must be strong and unique, stored only in an approved password manager, never shared, and never reused across personal and FITENABLE accounts. Default credentials must be changed before use.

5. Device and Endpoint Security

Any device used to access FITENABLE data must have: full-disk encryption, an auto-locking screen, up-to-date operating system and software, and reputable anti-malware where applicable.

Sensitive/Health data must not be stored on personal or unmanaged devices or removable media. Where Personnel use their own devices, they must follow this Policy and the Remote Work Policy.

6. Network and Transmission Security

All Platform traffic and data transmission must use HTTPS/TLS. Personnel must avoid untrusted public Wi-Fi for sensitive work, using a trusted network or VPN.

Personal/health data must not be transmitted over insecure channels.

7. Data Storage and Handling

Personal and health data may be stored only in approved systems (the production database and approved cloud services). Storing client data in personal email, personal cloud drives, spreadsheets on personal devices, or unmanaged chat history is prohibited.

Encryption must be applied to data in transit and, where supported, at rest. Data must be handled in line with the Data Protection Policy (retention, minimisation, deletion).

8. Email, Messaging and WhatsApp

Personnel must be alert to phishing and must verify unexpected requests for credentials, payments or data.

WhatsApp/chat with clients: keep sharing of personal/health data to the minimum necessary, do not store sensitive client data long-term in chat, and use official FITENABLE channels/numbers. Personal device use for client chat must follow this Policy and the Remote Work Policy.

9. Third-Party and Cloud Services

Only vetted third-party services may be used for FITENABLE purposes (for example Razorpay for payments, the approved hosting/cloud provider, and the approved video-conferencing provider for classes).

Any service that will process personal data must be covered by a Data Processing Agreement and reviewed by the Data Protection Lead before onboarding.

10. Secure Development and the Website

The Platform is custom-built; Personnel and contractors involved in development must:

• follow secure coding practices and keep dependencies updated, running regular dependency/security audits (for example npm audit) and remediating known vulnerabilities promptly;
• keep secrets (API keys, tokens, credentials) out of source code and client-side code, using a secrets manager / environment variables;
• apply security headers (including a Content-Security-Policy) and subresource integrity where appropriate;
• use a web application firewall / CDN protection where available;
• restrict and review access to the code repository and production environment; and
• test changes before deployment and maintain the ability to roll back.

Given a prior malware/search-console warning on the site, monitoring for unauthorised changes, malware and integrity issues must be maintained, with a defined remediation and rollback process.

11. Logging and Monitoring

Access to critical systems and personal data should be logged where feasible, and logs reviewed for unusual activity. Logs must themselves be protected.

12. Vulnerability and Patch Management

Security updates for operating systems, applications and dependencies must be applied promptly. Known critical vulnerabilities must be prioritised.

13. Backups and Recovery

Regular backups of critical data must be maintained, stored securely (encrypted), and periodically tested for restorability. A basic recovery plan must define how to restore service after data loss or an incident.

14. Incident Response and Breach Reporting

Any suspected security incident or personal data breach must be reported immediately to the Security Lead / Data Protection Lead.

Incident response follows the Data Protection Policy: contain, assess, remediate, and, for personal data breaches, notify the Data Protection Board of India and affected Data Principals within the timelines required by the DPDP. Incidents and responses must be recorded.

15. Acceptable Use of Company Systems

FITENABLE systems and accounts must be used for legitimate business purposes, lawfully, and in line with this Policy, the Workplace Code of Conduct and the AI Usage Policy. No installing unapproved or pirated software; no disabling security controls.

Personnel must not use FITENABLE systems, accounts, platform access, brand assets, logo, website materials, client data, plans, templates, content or confidential information for personal work, unrelated work, competing services, another business, another client, or any purpose not authorised by FITENABLE.

Personnel must not export, copy, screenshot, scrape, download, forward or retain client information except where strictly necessary for assigned FITENABLE work and authorised by the Company.

When an engagement ends or access is withdrawn, Personnel must immediately stop using all FITENABLE systems, accounts, data and materials; return or delete all Company information; and confirm deletion/return if requested.

16. Physical Security

Devices must be kept physically secure and not left unattended in public; screens must be locked when away.

17. Coach-Specific Obligations

Coaches handling client health data must comply with this Policy, access only the data needed for their assigned clients, never copy client data to personal storage, and return or delete client data on the end of their engagement.

Coaches must not use client contact details, health data, progress data, chat history or plan information to solicit, divert, contact or serve clients outside FITENABLE or for personal, freelance, competing or unrelated work.

Coaches must not request, accept or facilitate payments from clients through personal or unauthorised channels, including personal UPI IDs, QR codes, bank details or payment links.

18. Training and Enforcement

Personnel must complete security awareness training on onboarding and periodically. Breach of this Policy may result in disciplinary action, termination of engagement, and legal action where warranted.

19. Review

This Policy will be reviewed at least annually and after any significant incident.