OYO Cyber Security team is responsible for protecting OYO’s Technology and application stack which serves as the backbone of our businesses operating out of various geographies covering 30+ countries including India, Europe, Indonesia, Malaysia, the UK, the US & China. We protect hundreds of application servers, microservices, Kubernetes clusters, and next-generation data science platforms operating out of multi-cloud environments. We also ensure security at data centre and dialer infrastructure levels, to support our call centres operating through our Third Party partners/service providers.

One of our biggest assets is the trust our customers, partners, and employees place in us. Our key responsibility in earning this trust is protecting the data of our customers and other stakeholders. Our world-class teams work 24x7 across multiple geographies to safeguard this data.

OYO Cyber Security team is responsible for ensuring the security of all our group websites & mobile apps owned by OYO Group globally. Our team provides round-the-clock & timely support to multiple countries where we are operating. Our infrastructure is across thousands of servers in data centres & cloud environments, in a highly secure zone. Security is an integral part of any process at OYO; beginning from the collection of data, during transfer and processing, to storage at rest. Today, it is imperative for technology companies to stay updated with the latest tools and tech to mitigate against any unauthorised data access and breaches. We have a comprehensive information security plan in place based on the ISO 27001 framework and we also follow other stringent industry standards like PCI DSS.

Our internal compliance team is responsible for ensuring that all our systems and processes adhere to these standards and best practices. . Zero tolerance for violations is a good thing when it comes to data security. There are a host of measures that we adopt to make this possible. The non-exhaustive control list includes -

• Access based on “Least privilege” and “Need to Know” principles along with Multi-Factor Authentication(MFA)
• Incident Response and Plan
• VAPT Exercises at regular intervals
• Password Management using Industry Best Standards
• Regular Education, Awareness and Acceptance of enterprise policies and procedures
• Appropriate measures for Endpoint Protection using industry best, next-generation antivirus and malware protection solutions to protect user’s devices
• Offices and development centres are protected with the latest next-generation firewalls and VPN devices in compliance with our Information Security policy and stringent perimeter and application security recommendations of the Industry
• Separate VPC for each critical system
• Strong SSL encryption to protect data during transit
• Sensitive data is encrypted at rest
• Connection to the cloud allowed only through MFA-enabled VPN tunnels

With our increasing global footprints catering to customers across the world, it becomes our supreme responsibility to ensure the security & protection of our customers’ data, strengthening their confidence in us by providing services that correspond with changes and enhancing the protection of our secure payment channels and services.

PCI DSS Requirements

PCI DSS compliance is one of the most stringent and most coveted security standards in the industry today. With 6 goals, 12 requirements, and over 300 sub-requirements for the cardholder data environment, PCI Data Security Standard is developed by PCI Security Standard Council, a group of card brands in the world including Visa, MasterCard, Amex, JCB and Discover.

PCI compliance helps us to reduce the risk of our payment systems getting breached and minimizes the risk of theft of cardholder data.

We follow an extensive independent third-party audit on PCI DSS by India's CERT-IN Empanelled Auditor adopting the highest security posture. It involves using a meticulously developed compliance validation structure and security monitoring tools. Our auditor annually certifies our compliance with security requirements developed by the PCI Security Standards Council.

OYO takes all the necessary efforts to mitigate all the bugs & shortfalls in our systems. We are open to receiving positive feedback from independent security groups and individual researchers to study it across all platforms and help make OYO technologically safer for our customers and patrons. We recognise how important it is to help protect the integrity and security of our products. We understand that secure products are instrumental in maintaining the trust users place in us. If you discover any such shortfall, we would appreciate a responsible approach in investigating and reporting it to us so that we can address it as soon as possible. We would further urge you to refrain from any frivolous reporting.

If you believe you know or have found a security issue, we encourage you to notify us and work with us along the lines of the OYO Responsible Disclosure Policy.

Copyright © 2022. All rights reserved.