Information Security & Acceptable Use Policy
Last updated: 17 June 2026
We build ERP systems, software and automation that often touch our clients' most sensitive information — their finances, their orders, their customers. That trust is the heart of our business. This policy sets out the practical, everyday rules that keep that information safe, and explains what each of us is responsible for. It applies to every employee, intern, contractor and partner who uses TheManki systems or handles data on our behalf, on any device, in the office or remote. Effective 17 June 2026.
01. 1. Who and What This Policy Covers
This policy applies to everyone who works with or for Sanam Designs Wallah – Manki Space (TheManki), and to all the information and tools we use to do our work.
- People: all employees, interns, contractors, freelancers and partners who access our systems or handle data on our behalf.
- Systems: laptops, desktops, mobile phones, servers, cloud accounts, email, code repositories, design tools, hosting panels, databases and any client environments we are given access to.
- Information: company data (financials, contracts, source code, credentials), client data (their ERP records, financial figures, customer lists, orders) and personal data (information that identifies an individual, such as names, phone numbers, addresses, Aadhaar/PAN, salary or health details).
We classify information into three simple levels so you know how carefully to treat it: Public (safe to share openly, e.g. our website copy), Internal (for the team only, e.g. project plans), and Confidential (client data, personal data, credentials, financials — the most sensitive, and the default level if you are unsure).
02. 2. Acceptable Use of Company Systems
Company systems and accounts are provided for work. Reasonable, occasional personal use is fine as long as it does not interfere with your job, consume client resources, or put data at risk.
You may:
- Use company devices, email and tools for your assigned work and normal professional communication.
- Install legitimate, licensed software needed for your role, where you have permission to do so.
- Store work files in the approved company drives and repositories, not on random personal accounts.
You must not:
- Use company systems for anything illegal, or to harass, defame or discriminate against anyone.
- Download pirated software, films or media, or visit clearly unsafe or malicious sites on work devices.
- Copy client data, source code or company files to personal email, personal cloud drives, USB sticks or personal phones without explicit authorisation.
- Use AI or automation tools to process client or personal data unless that tool is approved and the client's contract allows it — never paste confidential client data into a public chatbot.
- Try to bypass security controls, disable antivirus, or access systems and data you have not been given a clear reason to use.
We may monitor and log use of company systems for security, legal and operational reasons, within the limits of Indian law. We do not read personal content out of curiosity, but security and audit logs are kept and reviewed.
03. 3. Passwords & Access Control
Most breaches start with a weak or stolen password. Strong, unique credentials and the principle of "least access" are your first and most important defence.
- Use a unique, strong passphrase for every account — at least 12 characters, ideally a memorable phrase. Never reuse the same password across systems.
- Use the company-approved password manager to store and generate credentials. Do not keep passwords in plain text files, spreadsheets, sticky notes or browser-saved lists on shared devices.
- Turn on multi-factor authentication (MFA) wherever it is offered — email, cloud, hosting, code repositories and especially any client systems.
- Never share your login with a colleague. If someone needs access, request it for them properly so it can be tracked.
- Access is granted on a need-to-know basis. You should only have access to the client projects and data you are actively working on.
- Tell your reporting manager immediately when you no longer need access to a project or system, and when a contractor or intern finishes, so their access can be revoked promptly.
Treat credentials for client environments as the most sensitive secrets we hold. Store them only in the approved password manager or secrets vault — never in code, never in chat messages, never in email.
04. 4. Handling Client & Personal Data
Because we build ERP and financial systems, we routinely handle our clients' confidential business data and the personal data of their customers and staff. India's Digital Personal Data Protection Act, 2023 (DPDP Act) governs how personal data must be handled, and the Information Technology Act, 2000 sets further obligations. In most engagements our client is the Data Fiduciary and we act as a Data Processor on their behalf — meaning we process data only on their documented instructions and only for the agreed purpose.
Everyone handling such data must follow these rules:
- Collect and use only the data you actually need for the task — do not pull extra records, full database dumps or unnecessary personal fields "just in case".
- Use data only for the purpose the client engaged us for. Do not reuse client data for testing other projects, marketing, or your own experiments.
- Keep production client data inside approved environments. When you need sample data for development or demos, use anonymised, masked or dummy data wherever possible.
- Encrypt confidential and personal data in transit (HTTPS/TLS, secure file transfer) and at rest where the system supports it.
- Do not move client or personal data outside India or to a new third-party service without checking the client contract and getting sign-off, as cross-border and sub-processor rules can apply.
- When a project ends or data is no longer needed, return or securely delete it as the contract requires, and confirm deletion from backups and personal devices.
- If a client's customer (a Data Principal) contacts us directly to access, correct or erase their data, do not act on it yourself — pass the request to your manager so it is routed to the client, who is responsible for responding.
If you are ever unsure whether you are allowed to use, copy, move or share a piece of data, stop and ask before you act. It is always cheaper to ask than to fix a breach.
05. 5. Device & Network Security
Whether a device is company-issued or your own (BYOD) used for work, it must be kept secure because it is a doorway into client and company data.
- Lock your screen whenever you step away, and set devices to auto-lock after a few minutes of inactivity.
- Enable full-disk encryption (e.g. FileVault on Mac, BitLocker on Windows) on any device that stores work files.
- Keep your operating system, browser and applications updated — apply security patches promptly and do not run unsupported software.
- Run the approved antivirus/endpoint protection and never disable it.
- Avoid working on confidential data over open public Wi-Fi (cafés, airports). If you must, use the company VPN.
- Do not leave laptops or phones unattended in public places, cars or unlocked spaces. Report a lost or stolen device immediately (see the incident section).
- Keep work clearly separated on personal devices — use the approved work apps and storage, and do not back up client data to your personal iCloud/Google account.
Before disposing of, selling or returning any device, make sure all company and client data is securely wiped, not just sent to the recycle bin.
06. 6. Email, Messaging & Phishing
Email and messaging are the most common ways attackers try to trick us. Phishing — a fake message designed to steal credentials, money or data — is a daily threat, especially for a firm that handles client financial systems.
Watch for these warning signs:
- Urgency and pressure — "act now", "your account will be suspended", "urgent payment needed".
- Requests to change bank account details, share OTPs, reset passwords, or buy gift cards.
- A sender address that looks almost right but is subtly wrong, or a display name that does not match the actual email address.
- Unexpected attachments or links, especially asking you to "log in" on a page that looks like a known service.
What to do:
- Never share passwords, OTPs or MFA codes by email, chat or phone — no genuine colleague or service will ask for them.
- Hover over links to check the real destination before clicking, and do not open attachments you were not expecting.
- If a message claims to be from a client, the founder or a vendor and asks for money, data or access, verify it through a separate known channel (a phone call to a saved number) before acting.
- When in doubt, do not click. Report the message (see below) — it is always okay to flag something that turns out to be harmless.
- Be careful what you say in client WhatsApp and email threads; treat them as confidential and do not forward them outside the team.
07. 7. Clean Desk & Clear Screen
A tidy workspace is a secure workspace. Confidential information left visible — on a desk, a whiteboard or an unlocked screen — can be seen, photographed or taken by anyone passing by, including visitors and cleaning staff.
- Lock your computer every time you leave your seat, even for a few minutes (Windows: Win+L, Mac: Control+Command+Q).
- Do not leave printed documents with client data, credentials or personal information lying on desks, printers or meeting tables — collect prints immediately and shred what you no longer need.
- Clear whiteboards of client names, architecture diagrams and credentials after meetings.
- Position your screen so confidential data is not visible to people behind you, especially when working in cafés, co-working spaces or on client sites.
- Store laptops, notebooks and any sensitive paperwork out of sight when you leave for the day.
08. 8. Reporting Security Incidents
A security incident is anything that may have exposed, lost or compromised data or systems — a lost laptop, a clicked phishing link, a misdirected email with client data, a suspected malware infection, a leaked password, or a system behaving strangely.
Speed matters far more than blame. Reporting fast lets us contain the problem; hiding it makes things worse. You will never be punished for honestly and promptly reporting a genuine incident or mistake.
- Report any suspected or actual incident immediately — within the hour if you can — to your reporting manager and to the founder, Mayank Agarwal.
- Do not try to "fix it quietly" or delete evidence. Preserve what you can and let the response be coordinated.
- Write down what happened, when, and what data or systems may be affected, so we can assess the impact.
- If personal data may be involved, flag this clearly — under the DPDP Act 2023 a personal data breach can trigger time-bound notification duties to the Data Protection Board of India and to affected individuals, and we may need to inform the client urgently so they can meet their obligations.
Email: mayank@themanki.com. Phone/WhatsApp: +91 70022 08642. When in doubt about whether something counts as an incident, report it anyway.
09. 9. Consequences of Non-Compliance
Following this policy is a condition of working with TheManki. Most issues are honest mistakes and are handled with guidance and training. But deliberate or careless breaches put our clients, their customers and our business at real risk.
- Depending on the seriousness, breaches may lead to retraining, a formal warning, suspension of system access, or termination of employment or contract.
- Serious misconduct — such as stealing or selling client data, deliberately leaking confidential information, or unauthorised access to systems — may also lead to civil and criminal liability under the IT Act 2000, the DPDP Act 2023 and other applicable laws.
- Contractors and partners who breach this policy may have their engagement ended and may be liable under their contract.
The goal is not to catch people out — it is to keep the trust our clients place in us. If a rule here is getting in the way of doing good work safely, raise it so we can improve it rather than working around it.
10. 10. Questions, Help & Escalation
Security is a shared responsibility, and asking questions is encouraged. If you are unsure how to handle data, need access, suspect a problem, or want a tool or process reviewed, reach out before acting.
For all security questions, access requests, incident reports and policy clarifications, contact the founder:
- Email: mayank@themanki.com
- Phone / WhatsApp: +91 70022 08642
This policy is reviewed periodically and may be updated as our tools, clients and the law evolve. The current version is effective 17 June 2026.
Questions about this policy?
Reach the TheManki team — operated by Sanam Designs Wallah – Manki Space, India.