Email: info@epmlogic.com

EPMLogic

Compliance & Risk Policy EPMLogic Consulting

EPMLogic Consulting is fully committed to maintaining the highest standards of compliance, information security, data protection, and risk management in all our operations.
This policy explains how we uphold regulatory, ethical, and security requirements when delivering consulting and technology services across Workday Financials, Workday Adaptive Planning, and the wider ERP / EPM / AI ecosystem.

1. Purpose and Scope

This Compliance & Risk Policy applies to:

  • All EPMLogic employees, contractors, and partners;
  • All client engagements, systems, and data we manage or access;
  • All jurisdictions where we operate, including India, the EU, the US, and APAC.

Its purpose is to ensure every project meets or exceeds global legal and professional standards for data protection, security, confidentiality, and ethical conduct.

2. Regulatory Compliance Framework

EPMLogic complies with all relevant data-protection and technology-service regulations, including:

India

  • Information Technology Act (2000) and the Digital Personal Data Protection Act (2023) (DPDP).
  • Reasonable Security Practices and Sensitive Personal Data Rules (2011).

European Union

  • General Data Protection Regulation (GDPR) – Articles 5 to 32 for lawful, transparent, and secure processing of personal data.

United States

  • State-level privacy laws such as the California Consumer Privacy Act (CCPA) and comparable frameworks.

Asia-Pacific

  • Personal Data Protection Acts (PDPA) and regional equivalents.

Where multiple frameworks apply, we adopt the strictest requirements as our global baseline.

3. Data Protection Principles

EPMLogic follows the “privacy-by-design” and “least-privilege” principles:

  1. Lawfulness & Transparency: Personal data is collected only with legitimate purpose and explicit consent.
  2. Purpose Limitation: Data is used solely for agreed consulting and support activities.
  3. Data Minimization: We collect only what is necessary.
  4. Accuracy: We keep data current and correct errors promptly.
  5. Storage Limitation: Retention periods are defined and data is securely deleted when no longer needed.
  6. Integrity & Confidentiality: Encryption, access control, and monitoring protect all client data.
  7. Accountability: We maintain documented policies, logs, and audit trails.

4. Security Standards and Certifications

We align with globally recognized standards:

  • ISO / IEC 27001 – Information Security Management System (ISMS) framework.
  • SOC 2 (Type II) – Security, Availability, Processing Integrity, Confidentiality, and Privacy trust principles.
  • ISO 9001 – Quality Management for continuous improvement.
  • ISO 27701 – Privacy Information Management System (PIMS).

Key security controls include:

  • Multi-factor authentication and role-based access control.
  • Data encryption at rest and in transit (AES-256 / TLS 1.2+).
  • Network segmentation and continuous vulnerability monitoring.
  • Regular penetration testing and annual third-party audits.
  • Documented incident-response and disaster-recovery procedures.

5. Confidentiality and NDAs

All personnel and subcontractors sign Non-Disclosure Agreements covering client and internal information.
Client data is shared internally only on a need-to-know basis.
We will never disclose or sell any client information to third parties except:

  • When legally required by a competent authority, or
  • When necessary to deliver contracted services under written confidentiality terms.

6. Responsible AI and Automation Governance

EPMLogic applies a Responsible AI Framework across all AI / ML / automation engagements.

Principles

  1. Fairness: Identify and mitigate data or algorithmic bias.
  2. Reliability & Safety: Validate model performance before deployment.
  3. Transparency: Explain data sources, logic, and limitations.
  4. Privacy & Security: Use anonymization, pseudonymization, and secure processing.
  5. Inclusiveness: Design solutions that benefit diverse users.
  6. Accountability: Maintain human oversight and auditability.

Governance Measures

  • Internal AI Ethics Board reviews high-impact models.
  • Documented model-development lifecycle with peer review.
  • Clear client guidance on AI limitations and risk ownership.
  • Compliance with emerging AI regulations (EU AI Act, US NIST AI RMF, OECD Guidelines).

7. Risk Management Framework

We use a continuous risk-management cycle based on ISO 31000 principles:

  1. Identification: Evaluate project, security, and compliance risks.
  2. Assessment: Score likelihood × impact; prioritize critical items.
  3. Mitigation: Implement controls, contingency, and monitoring.
  4. Review: Reassess quarterly and post-project.
  5. Reporting: Maintain risk registers and management reviews.

Key Risk Domains

  • Data breach or unauthorized disclosure
  • System downtime or integration failure
  • Regulatory non-compliance
  • Ethical AI misuse
  • Business continuity and disaster recovery

8. Vendor and Third-Party Risk Management

When using subcontractors or third-party platforms (e.g., cloud providers, integration tools), EPMLogic:

  • Conducts due-diligence and security assessments.
  • Requires signed data-processing and confidentiality agreements.
  • Ensures vendors meet ISO 27001 / SOC 2 or equivalent standards.
  • Reviews vendors annually for compliance and performance.

9. Employee Awareness and Training

All personnel receive onboarding and annual training on:

  • Data-protection regulations and confidentiality;
  • Secure handling of client systems;
  • Phishing and social-engineering awareness;
  • AI ethics and bias-mitigation practices.

Training records are maintained for audit readiness.

10. Incident Response and Breach Notification

We maintain an Incident Response Plan (IRP) to detect, contain, and resolve security incidents promptly.

Process Overview

  1. Identify and log the incident.
  2. Isolate affected systems to prevent spread.
  3. Assess impact and root cause.
  4. Notify affected clients and authorities within statutory timelines (e.g., 72 hours under GDPR).
  5. Remediate vulnerabilities and document lessons learned.

All incidents are reviewed by senior management to strengthen preventive controls.

11. Business Continuity and Disaster Recovery

EPMLogic ensures service resilience through:

  • Data replication across secure regions;
  • Regular backups with encrypted off-site storage;
  • Tested recovery time objectives (RTO) and recovery point objectives (RPO);
  • Business Continuity Plan (BCP) reviewed semi-annually.

12. Continuous Improvement and Auditing

We conduct:

  • Quarterly internal audits of information-security controls;
  • Annual external compliance reviews by independent assessors;
  • Post-engagement debriefs to capture lessons learned.

Findings are tracked in an internal compliance dashboard until resolved.

13. Ethical and Professional Conduct

All EPMLogic consultants must:

  • Comply with our Code of Conduct (integrity, objectivity, competence, respect).
  • Avoid conflicts of interest and disclose any potential bias.
  • Use client resources responsibly and efficiently.
  • Uphold transparency and accuracy in all reporting.

Violations may result in disciplinary action or contract termination.

14. Global Jurisdiction and Enforcement

EPMLogic operates under Indian law, with principal jurisdictions in Bangalore, Karnataka and Varanasi, Uttar Pradesh.
For international engagements, EPMLogic recognizes and adheres to applicable cross-border regulations under mutual-recognition treaties and international commercial principles.

Any unresolved dispute will first undergo mediation; failing that, binding arbitration shall occur in Bangalore, per the Arbitration and Conciliation Act (1996).

15. Policy Review and Updates

This policy is reviewed annually or whenever there are:

  • Material changes in law or regulatory frameworks;
  • New technologies, tools, or services introduced;
  • Structural changes in company operations.

The most current version will always be published on our website.
Continued use of our services indicates acceptance of the updated policy.

16. Contact Information

For questions, compliance inquiries, or incident reports:

EPMLogic Consulting
Legal & Compliance Office: Bangalore – Karnataka | Varanasi – Uttar Pradesh, India

Statement of Assurance

EPMLogic declares that compliance, security, and ethical integrity are central to our mission.
We continually invest in secure systems, responsible AI practices, and transparent governance to protect our clients’ trust and data.
Our promise is simple: every engagement is delivered with accountability, compliance, and care.