Information Security Policy and Practices

Version: 1.3
Effective from: May 21, 2021

1. Overview

Wingify Software Pvt Ltd. (herein referred to as Wingify in this document) is committed to ensuring the Confidentiality, Integrity, and Availability (CIA) and provide comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity and/ or interruptions to their availability. To provide adequate protection for information assets, Wingify has built the Information Security Management System (ISMS) which includes the respective policies to be followed in a diligent, consistent, and impartial manner. Wingify will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required.

This document details Wingify policies to ensure the protection of its information assets, and to allow the use, access, and disclosure of such information in accordance with appropriate standards, laws, and regulations.

All workforce members, customers, and third parties who use Wingify’s information processing facilities are required to comply with the Information Security policy of Wingify. All the existing Wingify policies, relating to personnel, administration, protection of confidential information, and other areas would apply equally to the information systems environment.

2. Applicability

Wingify is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.

The key regulation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.

3. Scope

The scope of this policy covers all information assets owned or provided by Wingify, whether they reside on the corporate network or elsewhere.

Information Security policies apply to all business functions of Wingify which include:

Human Resource Finance & Accounts Administration Business Operations and Analytics
Information Technology Legal Program Design
Engineering Product Marketing Sales
Customer Success Management Product Success Ideact Security & Compliance

The Information Security policies apply to any person (employees, consultants, customers, and third parties), who accesses and uses Wingify information systems.

Wingify has established, implemented, maintained, and continually improved the Information Security Management System within the context of its overall business activities and risks it may face in accordance with the requirements of the ISO 27001:2013 standard. The ISMS processes used are based on the Plan, Do, Check, and Act (PDCA) model.

  1. Plan (Establish the ISMS)

    Wingify has established policies, related processes, objectives, and procedures relevant for managing risks and improving information security to deliver results in accordance with its overall policies and objectives. The Plan phase includes:

    1. Establishing the ISMS
    2. Defining the scope of ISMS
    3. Defining an ISMS manual
    4. Defining a systematic approach to risk assessment
    5. Identifying risks
    6. Assessing the risks
    7. Identifying and evaluating options for the treatment or risks
    8. Selecting control objectives
    9. Preparing a statement of applicability
  2. Do (Implement and operate the ISMS)

    Wingify has adopted and implemented procedures and processes to ensure compliance and adherence to the ISMS framework. Wingify management made all the necessary resources available to ensure implementation and operation according to the ISMS. The Do phase includes:

    1. Formulating a risk treatment plan
    2. Implementing the risk treatment plan
    3. Implementing controls
    4. Implementing training and awareness programs
    5. Managing operations
    6. Managing resources
    7. Implementing procedures and other controls for incident handling
  3. Check (Monitor and review the ISMS)

    The compliance team ensures regular and continuous monitoring by conducting periodic assessments, reviews, and audits of the Information Security policy of Wingify. The Check phase includes:

    1. Executing monitoring procedures and other controls
    2. Undertaking regular reviews of the effectiveness of ISMS
    3. Reviewing the risk of residual risk and acceptable risk
    4. Conducting internal ISMS audits
    5. Undertaking management review of ISMS
    6. Recording actions and events that could have an impact on the effectiveness or performance of ISMS
  4. ACT (Maintain and improve the ISMS)

    Continual improvement in the effectiveness of ISMS at Wingify is demonstrated through the use of Security Policy, Security Objective, Audit Results, Analysis of Data, Corrective and Preventive Actions, and Management Review. The Act phase includes:

    1. Maintaining and improving the ISMS
    2. Implementing identified improvements
    3. Taking appropriate corrective actions and preventive actions
    4. Communicating the results & actions, and agreeing with all interested parties
    5. Ensuring that the improvements help achieve their intended objective

4. Leadership and Commitment

Wingify is committed to security. The top management has constituted Wingify Corporate Security and Compliance Team, which is responsible for defining and improving the ISMS.

The top management has demonstrated leadership and commitment with respect to the information security management system by:

  1. Ensuring that the information security policy and the information security objectives are established and are compatible with the strategic direction of Wingify
  2. Ensuring integration of ISMS requirements into Wingify’s processes
  3. Ensuring that the resources needed for ISMS are available
  4. Communicating the importance of effective information security management and of conforming to the information security management system requirements
  5. Ensuring that ISMS achieves its intended outcome(s)
  6. Directing and supporting persons to contribute to the effectiveness of ISMS
  7. Promoting continual improvement
  8. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

5. Policy

The following is the information security management policy statement adopted by Wingify:

“Wingify is committed to ensuring integrity, confidentiality, availability, and security of its physical and information assets at all times for serving the needs and expectations of its interested parties both within organization and from external parties including clients, suppliers, regulatory, and governmental departments in line with its vision, mission, and values while meeting all legal, statutory, regulatory, and contractual requirements. Wingify’s information systems and the information and data they contain are fundamental for its daily operations and future success. Wingify will develop, implement, maintain, and continually improve policies, procedures, and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available to authorized persons as and when required.”

The Information Security measures include:

5.1. Governance and Organization Structure

5.2. Personnel Security

5.3. Information Asset Management

5.4. Access Control

The access controls required to meet the security objectives of the Information Security policy. Access control management is paramount to protecting Wingify information resources and requires implementation of controls and continuous oversight to restrict access.

Confidentiality, Integrity, and Availability (CIA) are fundamental aspects of protection of systems and information, and are achieved through logical, physical, and procedural controls. It is vital for the protection of systems and information authorized users who have access to Wingify systems and information are aware of and understand how their actions may affect security and privacy.

The policy is organized into the following key sections which map directly to the ISO 27001 Access Control Domain security objectives:

5.5. Physical and Environmental Security

Our data centers are hosted in some of the most secure facilities available today in locations and use industry best practices that are protected from physical and logical attacks as well as from natural disasters, such as earthquakes, fires, and floods. Physical security measures for these data centers include intrusion protection measures and security guards. We rely on third-party attestations of their physical security. Within our office premises, we employ a number of best industry-standard physical security controls.

5.6. Operational Security

5.7. Communication Security

Wingify has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirement to ensure that the appropriate protection of information on its networks maintained and sustained. Few controls which in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction as follow:

5.8. System Acquisition, Development, and Maintenance

Wingify has established Software Development Lifecycle adopted for planning, requirement analysis, design, development, testing and maintenance of the product VWO Experience Optimization Platform. There are controls which in place to achieve the information security and data protection requirements as follow:

Product Security

Code Security

Bugs Reporting

Wingify takes the security of its systems seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps Wingify in ensuring the security and privacy of its users. Bugs can be reported through email at [email protected].

5.9. Third-Party Supplier

Due Diligence

Before contracting with a third-party supplier, it is incumbent upon Wingify to exercise due diligence in reaching as much understanding as possible of the information security approach and controls the company has in place. It is important that the documented “supplier due to diligence assessment" procedure is followed so that all the required information is collected and an informed assessment can be made.


All Wingify contracts will clearly define each party’s data protection and information security responsibilities toward the other by detailing the parties to the contract, effective date, functions or services being provided (such as defined service levels), liabilities, limitations on use of subcontractors and other commercial/legal matters normal to any contract.

The processing must be governed by a contract in writing between the controller and the processor, setting out the following:

5.10. Reporting Security and Privacy Breaches

5.11. Business Contingency and Disaster Recovery

5.12. Compliance

Please feel free to ask questions and share concerns with us at [email protected].