Shadowfax Technologies Pvt Ltd

Legal Register
Document No.
Document Classification

Initial Preparation Date

Initially Prepared By
Initial Review Date
Initially Reviewed By
Initial Approval Date
Initially Approved By
Version No.
Initial Effective Date
Document Change
Details
Change Date
Change Prepared By
Re reviewed By
Re Review Date
Approved By - post
review/ change
New Version No.
New Effective Date
 Shadowfax Technologies Pvt Ltd
Legal Register
Shadowfax/ III/FR-010
Internal

04.01.2022

Asst. mgr. legal

11.1.2022
Legal Head
13.01.2022
CFO
1
 THE INFORMATION TECHNOLOGY ACT, 2000
&
Information Technology Amendment Act 2008

S,No Word

1 Access

2 Addressee

3 Adjudicating Officer

4 Electronic Signature

5 Asymmetric Crypto System

6 Certifying Authority

7 Certification Practice Statement

8 Communication Device

9 Computer

Substituted vide ITAA-2008

10 Computer Network

11 Computer Resource

12 Computer System

13 Controller

14 Cyber Appellate Tribunal

Inserted vide ITAA-2008

15 Cyber café
16 Cyber Security

17 Data

18 Digital Signature

19 Digital Signature Certificate

20 Electronic Form

21 Electronic Gazette

22 Electronic Record

Inserted vide ITAA-2006

23 electronic signature

24 Electronic Signature Certificate

25 Function

Indian Computer Emergency

26
Response Team

27 Information

Substituted vide ITAA-2008

28 Intermediary

29 Key Pair

30 Law

31 License
32 Originator

33 Prescribed
34 Private Key

35 Public Key

36 Secure System

37 Security Procedure

38 Subscriber

39 Verify

DIGITAL SIGNATURE AND ELECTRONIC SIGNATURE (amended vide ITAA 2008)

40 Hash function

41 Computer Contaminant

42 Computer Database

43 Computer Virus

44 Damage

45 Computer Source code

Inserted vide ITAA 2006

46 Body corporate

Reasonable security practices and

47
procedures
 Sensitive personal data or
48
information
Substituted vide ITAA 2008
49 Dishonestly
50 Fraudulently
Inserted Vide ITA 2008
51 Transmit

52 Capture

53 Private area
54 Publishes

Under circumstances violating

55
privacy

56 Company
57 Director
Inserted Vide Information Technology (Reasonable security practices and procedures and sensitive personal data or in
2011

58 Personal Information

59 Sensitive personal data or

information
 THE INFORMATION TECHNOLOGY ACT, 2000
&
Information Technology Amendment Act 2008

Description

Gaining entry into, instructing or communicating with the logical, arithmetical, or memory
function resources of a computer, computer system or computer network
A person who is intended by the originator to receive the electronic record but does not
include any intermediary
Adjudicating officer appointed under subsection (1) of section 46
Adoption of any methodology or procedure by a person for the purpose of authenticating an
electronic record by means of Electronic Signature
A system of a secure key pair consisting of a private key for creating a digital signature and a
public key to verify the digital signature;
A person who has been granted a license to issue a Electronic Signature Certificate under
section 24
A statement issued by a Certifying Authority to specify the practices that the Certifying
Authority employs in issuing Electronic Signature Certificates

Cell Phones, Personal Digital Assistance (Sic), or combination of both or any other device
used to communicate, send or transmit any text, video, audio, or image. (Inserted Vide ITAA
2008)

Any electronic, magnetic, optical or other high-speed data processing device or system
which performs logical, arithmetic, and memory functions by manipulations of electronic,
magnetic or optical impulses, and includes all input, output, processing, storage, computer
software, or communication facilities which are connected or related to the computer in a
computer system or computer network
Substituted vide ITAA-2008

The interconnection of one or more Computers or Computer systems or Communication

device through the use of satellite, microwave, terrestrial line,wire,wireless or other
communication media
Computer, communication device, computer system, computer network, data, computer
database or software

A device or collection of devices, including input and output support devices and excluding
calculators which are not programmable and capable of being used in conjunction with
external files, which contain computer programmes, electronic instructions, input data, and
output data, that performs logic, arithmetic, data storage and retrieval, communication
control and other functions
The Controller of Certifying Authorities appointed under sub-section (7) of section 17
The Cyber Appellate * Tribunal established under sub-section (1) of section 48 (*
"Regulations" omitted)
Inserted vide ITAA-2008
Any facility from where access to the internet is offered by any person in the ordinary
course of business to the members of the public
Protecting information, equipment, devices, computer, computer resource, communication
device and information stored therein from unauthorized access, use, disclosure, disruption,
modification or destruction

A representation of information, knowledge, facts, concepts or instructions which are being

prepared or have been prepared in a formalized manner, and is intended to be processed,
is being processed or has been processed in a computer system or computer
network. ,.and may be in any form (including computer printouts magnetic or optical
storage media, punched cards, punched tapes) or stored internally in the memory of the
computer
Authentication of any electronic record by a subscriber by means of an electronic method
or procedure in accordance with the provisions of section 3
A Digital Signature Certificate issued under subsection (4) of section 35
Any information generated, sent, received or stored in media, magnetic, optical, computer
memory, micro film, computer generated micro fiche or similar device
Official Gazette published in the electronic form
Data, record or data generated, image or sound stored, received or sent in an electronic
form or micro film or computer generated micro fiche
Inserted vide ITAA-2006
Authentication of any electronic record by a subscriber by means of the electronic
technique specified in the second schedule and includes digital signature
An Electronic Signature Certificate issued under section 35 and includes Digital Signature
Certificate

In relation to a computer, includes logic, control, arithmetical process, deletion, storage and
retrieval and communication or telecommunication from or within a computer

Means an agency established under sub-section (1) of section 70 B

Includes data, message, text, images, sound, voice, codes, computer programmes, software
and databases or micro film or computer generated micro fiche; (Amended vide ITAA-2008)
Substituted vide ITAA-2008

Any particular electronic records, means any person who on behalf of another person
receives, stores or transmits that record or provides any service with respect to that record
and includes telecom service providers, network service providers, internet service
providers, web hosting service providers, search engines, online payment sites, online-
auction sites, online market places and cyber cafes

An asymmetric crypto system, means a private key and its mathematically related public
key, which are so related that the public key can verify a digital signature created by the
private key

Any Act of Parliament or of a State Legislature, Ordinances promulgated by the President

or a Governor, as the case may be. Regulations made by the President under article 240,
Bills enacted as President's Act under sub-clause (a) of clause (1) of article 357 of the
Constitution and includes rules, regulations, bye-laws and orders issued or made there
under
A license granted to a Certifying Authority under section 24
 A person who sends, generates, stores or transmits any electronic message or causes any
electronic message to be sent, generated, stored or transmitted to any other person but
does not include an intermediary
Prescribed by rules made under this Act
The key of a key pair used to create a digital signature
key of a key pair used to verify a digital signature and listed in the Digital Signature
Certificate
Computer hardware, software, and procedure that are reasonably secure from
unauthorized access and misuse
The security procedure prescribed under section 16 by the Central Government
A person in whose name the Electronic Signature Certificate is
issued

In relation to a digital signature, electronic record or public key, with its grammatical
variations and cognate expressions means to determine whether (a) the initial electronic
record was affixed with the digital signature by the use of private key corresponding to the
public key of the subscriber
AL SIGNATURE AND ELECTRONIC SIGNATURE (amended vide ITAA 2008)

An algorithm mapping or translation of one sequence of bits into another, generally smaller,
set known as "Hash Result" such that an electronic record yields the same hash result every
time the algorithm is executed with the same electronic record as its input making it
computationally infeasible

Any set of computer instructions that are designed to modify, destroy, record, transmit
data or programme residing within a computer, computer system or computer network

A representation of information, knowledge, facts, concepts or instructions in text, image,

audio, video that are being prepared or have been prepared in a formalised manner or have
been produced by a computer, computer system or computer network and are intended
for use in a computer, computer system or computer network

Any computer instruction, information, data or programme that destroys, damages,

degrades or adversely affects the performance of a computer resource or attaches itself to
another computer resource and operates when a programme, data or instruction is
executed or some other event takes place in that computer resource

To destroy, alter, delete, add, modify or re-arrange any computer resource by any means
The listing of programmes, computer commands, design and layout and programme analysis
of computer resource in any form
Inserted vide ITAA 2006
Any company and includes a firm, sole proprietorship or other association of individuals
engaged in commercial or professional activities

Security practices and procedures designed to protect such information from unauthorised
access, damage, use, modification, disclosure or impairment, as may be specified in an
agreement between the parties or as may be specified in any law for the time being in force
and in the absence of such agreement or any law, such reasonable security practices and
procedures, as may be prescribed by the Central Government in consultation with such
professional bodies or associations as it may deem fit
 Such personal information as may be prescribed by the Central Government in consultation
with such professional bodies or associations as it may deem fit
Substituted vide ITAA 2008
Shall have the meaning assigned to it in section 24 of the Indian Penal Code
Shall have the meaning assigned to it in section 25 of the Indian Penal Code
Inserted Vide ITA 2008

To electronically send a visual image with the intent that it be viewed by a person or persons

With respect to an image, means to videotape, photograph, film or record by any means
The naked or undergarment clad genitals, pubic area, buttocks or female breast
Reproduction in the printed or electronic form and making it available for public

Circumstances in which a person can have a reasonable expectation that he or she could
disrobe in privacy, without being concerned that an image of his private area was being
captured
Any Body Corporate and includes a Firm or other Association of individuals
In relation to a firm, means a partner in the firm
ogy (Reasonable security practices and procedures and sensitive personal data or information) Rules,
2011

means any information that relates to a natural person, which, either directly or indirectly,
in combination with other information available or likely to be available with a body
corporate, is capable of identifying such person.

Sensitive personal data or information of a person means such personal information which
consists of information relating to;
password
financial information such as Bank account or credit card or debit card orother payment
instrument details
physical, physiological and mental health condition
sexual orientation
medical records and history
Biometric information

any detail relating to the above clauses as provided to body corporate for providing service
any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise
Item No. Act/ rule Date of effectiveness Clause Type* Relevant
of act/ rule Government
Department

1 IT ACT 2000, amendment of 23.12.2008 PENALTIES, Ministry of

The IT Act 2008 COMPENSATION Communications
AND & Inofrmation
ADJUDICATION Technology

OFFENCES
2 Information Technology 11.4.2011 Legal Requirement Ministry of
(Reasonable security practices Communications &
and procedures and sensitive Inofrmation
personal data or information) Technology
Rules, 2011
(Reasonable security practices Communications &
and procedures and sensitive Inofrmation
personal data or information) Technology
Rules, 2011
3 Pls provide other compliances like 26.7.1988 Legal Ministry of Labour
shops and establishment act etc
 LEGAL REGISTER
Section/ Rule Requirement Applicability
No.

Chapter 9, New Section 43 A included for "Data Protection" need.-specifies Yes

Section 43A liability for a body corporate handling sensitive data, introduces
concept of "reasonable security practices" and sensitive
personal data. No limit for compensation (further detailed in
Information technology sensitive personal data or information
Rules 2011 below)

Chapter 11, Tampering with computer source Documents Yes

Section 65
Chapter 11, Computer Related Offences. If any person, dishonestly, or Yes
Section 66 fraudulently, does any act referred to in section 43, he shall be
punishable with imprisonment for a term which may extend to
two three years or with fine which may extend to five lakh
rupees or with both (The clause has been re written with
significant changes. Applies to all contraventions listed in
Section 43. Fine increased to Rs 5 lakhs)

66A: Sending offensive Messages Yes

66C: Identity Theft-fraudulently or dishonestly make use of the Yes

electronic signature, password or any other unique
identification feature of any other person

66D: Cheating by personation-using computer resource' and Yes

provides that any person who by means of any communication
device or computer resource cheats by personation

66E: Violation of Privacy-intentionally or knowingly captures, Yes

publishes or transmits the image of a private area of any person
without his or her consent,
 66F: Cyber Terrorism-with intent to threaten the unity, integrity, Yes
security or sovereignty of India or to strike terror in the people
or any section of the people
knowingly or intentionally penetrates or accesses a computer
resource without authorisation or exceeding authorised access,
and by means of such conduct obtains access to information,
data or computer database that is restricted for reasons of the
security of the State or foreign relations

Chapter 11, Punishment for publishing or transmitting obscene material in Yes

Section 67 electronic form
New Section 67A introduced to cover material containing Yes
"Sexually Explicit Act" Increased imprisonment and fine
compared to Sec 67.
New Section 67B introduced to cover Child Pornography with Yes
stringent punishment. Imprisonment 5 or 7 years and fine RS 5
or 10 lakhs for first and subsequent instances respectively. Also
covers "grooming" and self abuse

Chapter 11, Breach of confidentiality and privacy-any person has secured Yes
Section 72 access to any electronic record, book, register, correspondence,
information, document or other material without the consent of
the person concerned discloses information shall be punished
with imprisonment for a term which may extend to two years,
or with fine which may extend to one lakh rupees, or with both.

Chapter 11, Penalty for publishing electronic Signature Certificate false in Yes
Section 73 certain particulars No person shall publish a Electronic Signature
Certificate or otherwise make it available to any other person

Chapter 11, Publication for fraudulent purpose- Whoever knowingly Yes

Section 74 creates, publishes or otherwise makes available a Electronic
Signature Certificate for any fraudulent or unlawful purpose
shall be punished with imprisonment for a term which may
extend to two years, or with fine which may extend to one lakh
rupees, or with both

Section 4 Body corporate to provide policy for privacy and disclosure of Yes
information
 The body corporate or any person who on behalf of body Yes
corporate collects, receives, possess, stores, deals or handle
information of provider of information, shall provide a
privacy policy for handling of or dealing in personal information
including sensitive personal data or information and ensure that
the same are available for view by such providers of information
who has provided such information under lawful contract.

Such policy shall be published on website of body corporate or any Yes

person on its behalf and shall provide for-

Clear and easily accessible statements of its practices and policies Yes

type of personal or sensitive personal data or information collected Yes

under rule 3

purpose of collection and usage of such information Yes

disclosure of information including sensitive personal data or Yes

information as provided in rule 6

reasonable security practices and procedures as provided under rule 8 Yes

Section 5 Collection of information.—

(1) Body corporate or any person on its behalf shall Yes
obtain consent in writing through letter or Fax or email from the
provider of the sensitive personal data or information regarding
purpose of usage before collection of such information.

(2) Body corporate or any person on its behalf shall not collect Yes
sensitive personal data or information unless —

(a) the information is collected for a lawful purpose connected with a Yes
function or activity of the body corporate or any person on its behalf;

(b) the collection of the sensitive personal data or information is Yes

considered necessary for that purpose
(3) While collecting information directly from the person concerned, Yes
the body corporate or any person on its behalf snail take such steps as
are, in the circumstances, reasonable to ensure that the person
concerned is having the knowledge of —

the fact that the information is being collected; Yes

the purpose for which the information is being collected; Yes

the intended recipients of the information; and Yes

the name and address of the agency that is collecting the information, Yes
the agency that will retain the information.

(4) Body corporate or any person on its behalf holding sensitive Yes
personal data or information shall not retain that information for
longer than is required for the purposes for which the information
may lawfully be used or is otherwise required under any other law for
the time being in force..

(5) The information collected shall be used for the purpose for which Yes
it has been collected.

(6) Body corporate or any person on its behalf permit the providers of Yes
information, as and when requested by them, to review the
information they had provided and ensure that any personal
information or sensitive personal data or information found to be
inaccurate or deficient shall be corrected or amended as feasible:

(7) Body corporate or any person on its behalf shall, prior to the Yes
collection of information including sensitive personal data or
information, provide an option to the provider of the information to
not to provide the data or information sought to be collected.

(8) Body corporate or any person on its behalf shall keep the Yes
information secure as provided in rule 8.
 (9) Body corporate shall address any discrepancies and grievances of Yes
their provider of the information with respect to processing of
information in a time bound manner. For this purpose, the body
corporate shall designate a Grievance Officer and publish his name
and contact details on its website. The Grievance Officer shall redress
the grievances or provider of information expeditiously but within one
month ' from the date of receipt of grievance.

Section 6 Disclosure of information.—

(1) Disclosure of sensitive personal data or information Yes
by body corporate to any third party shall require prior permission
from the provider of such information, who has provided such
information under lawful contract or otherwise, unless such
disclosure has been agreed to in the contract between the body
corporate and provider of information, or where the disclosure is
necessary for compliance of a legal obligation:

The body corporate or any person on its behalf shall not publish the
sensitive personal data or information.

Section 7 Transfer of Information

A body corporate or any person on its behalf may transfer Yes
sensitive personal data or information including any information, to
any other body corporate or a person in India, or located in any other
country, that ensures the same level of data protection that is
adhered to by the body corporate as provided for under these Rules.

Section 8 Reasonable security practices & procedures

A body corporate or a person on its behalf shall be considered to have Yes
complied with reasonable security practices and procedures

Chapter II Registraion of Establishments Yes

 Reason for Non Compliance Status Compliance Authorizations, Frequency of
Applicability (Fulfilled/Not Remarks licenses, consents submission/
Applicable/Still & related records renewal
Open/Not Fulfilled)

NA Fulfilled Refer item no. 2 NA NA

NA Fulfilled Role based NA NA

access
NA Fulfilled Policy for code of NA NA
conduct.
HR Policy

NA Fulfilled Policy for code of NA NA

conduct.
HR Policy
NA Fulfilled Role based NA NA
access.
Privilege access
mgmt
NDA with
employees.

NA Fulfilled Role based NA NA

access.
Privilege access
mgmt
NDA with
employees.

NA Fulfilled Policy for code of NA NA

conduct
NA Fulfilled Role based NA NA
access.
Privilege access
mgmt
NDA with
employees.
DLP installed

NA Fulfilled Policy for code of NA NA

conduct
NA Fulfilled Policy for code of NA NA
conduct

NA Fulfilled Policy for code of NA NA

conduct

NA Fulfilled NDA signed. NA NA

Policy for code of
conduct

NA Fulfilled Electronic NA NA
signatures are
within the close
custody of the
top mgmt

NA Fulfilled Electronic NA NA
signatures are
within the close
custody of the
top mgmt

NA Fulfilled Privacy policy NA NA

documented on
web site
NA Fulfilled Privacy policy NA NA
documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site
NA Fulfilled Privacy policy NA NA
documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site
NA Fulfilled Privacy policy NA NA
documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site
NA Fulfilled Privacy policy NA NA
documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

Privacy policy
documented on
web site

NA Fulfilled Privacy policy NA NA

documented on
web site

NA NA Policies & NA NA
procedures
documenetd

NA Fullfilled Provide license provide the

number frequency
 Validity of Due date of Date of
license/ submisison/ evaluation
consent renewal

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA
NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA
NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA
NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA

NA NA
NA NA

NA NA

NA NA

NA NA

proviide the Provide the

validity renewal date