AS | Ankit Sarawagi|Founder, CFOmatrix·June 2026·11 min read | Updated Jun 2026 |
- A good work from home policy covers six things: eligibility, hours and availability, equipment and reimbursement, data security, communication, and approvals.
- No single Indian law mandates a WFH policy, but POSH, DPDP and your State Shops and Establishments Act all still apply to remote staff.
- Reimbursement of internet, electricity and furniture is a company choice, so state the amount, eligibility and claim process clearly.
- Data security is the highest-risk area: company devices, VPN, encryption and DPDP / CERT-In aligned breach reporting belong in the policy.
- Measure remote performance by output, not visibility, get written acknowledgement, and review the policy at least once a year.
| 6 Core sections every work from home policy should contain | 6 hrs CERT-In window to report a cyber incident, including a remote device breach | 10+ Employees at which a POSH Internal Committee is mandatory, remote included |
Why You Need a Work From Home Policy
A work from home policy is the written agreement that tells everyone, employees and managers alike, how remote and hybrid work actually runs in your company. Without one, the same questions surface again and again: who is allowed to work from home, what hours are expected, who pays for the internet, and what happens to company data on a personal laptop. A clear policy answers all of this once.
No single Indian statute requires a standalone work from home policy. But the laws that govern any workplace do not switch off just because the workplace is now a home. Three matter most:
- POSH Act 2013. The Sexual Harassment of Women at Workplace Act extends to work-connected online interactions, so chat, email and video calls are covered. The Internal Committee (mandatory at 10 or more employees) and the 90-day inquiry timeline apply to remote staff too.
- DPDP Act 2023. The Digital Personal Data Protection Act governs how you handle personal data, including employee data and any customer data accessed from home. Consent, notice, data-principal rights and breach notification to the Data Protection Board all apply.
- State Shops and Establishments Act. Working hours, weekly off and leave entitlements flow from the Act of the State where the employee is registered. A WFH policy should reference, not contradict, those entitlements.
The benefit is not just compliance. A precise policy reduces disputes, makes reimbursement consistent and auditable, and lets managers measure people on output rather than who is visible online. You can see all 41 policy templates in our library, but the work from home policy is one of the highest-leverage ones to get right.
Treat the work from home policy as a sub-policy of your overall HR handbook, not a one-off email. It should cross-reference your leave policy, IT and acceptable-use policy, POSH policy and data protection policy so there are no contradictions between documents.
Scope and Eligibility: Who Can Work From Home
Start by stating the model and who it applies to. Vague eligibility is the most common cause of friction, because employees compare themselves to each other.
- The model. Is this fully remote, hybrid (for example three days in office), or remote-by-exception? Define the default and the exceptions.
- Eligible roles. Name the functions or roles that can work from home. Some roles (front desk, lab, warehouse) genuinely cannot, and saying so up front avoids resentment.
- Eligibility conditions. Common conditions are completion of probation, a satisfactory performance rating, a suitable home workspace, and a stable internet connection.
- Approval process. Who approves a WFH request, in what form, and for how long. Specify whether approval is ongoing or needs renewal.
- Location rules. Whether the employee must work from their registered home city or State, which matters for payroll, PF, ESI and the applicable Shops and Establishments Act.
If employees may relocate to a different State, flag it in the policy. A change of work location can change which Shops and Establishments Act applies, affect professional tax, and complicate PF (employer contribution at 20 percent on covered wages) and ESI (at 10 percent for wages up to ₹21,000) administration. Require prior approval for any change of base location.
Working Hours, Availability and Leave
Remote work blurs the line between working and not working, so the policy must set expectations on both sides. The goal is to protect availability for the company and protect personal time for the employee.
- Core hours. Define a window (for example 11 am to 5 pm) when everyone must be reachable, while allowing flexible start and end times around it.
- Total hours and weekly off. Keep these consistent with the applicable State Shops and Establishments Act and the employee’s contract.
- Availability and response times. Set a reasonable expectation (for example respond to messages within a few hours during core hours), not an always-on culture.
- Attendance and time logging. State how attendance is marked for remote staff, whether through an HRMS check-in or task tracking.
- Leave. Clarify that the standard leave policy applies fully; working from home is not a substitute for taking leave when unwell or on holiday.
- Right to disconnect. Encourage respecting non-working hours. There is no central right-to-disconnect law in India yet, but stating the principle prevents burnout and disputes.
A strong hours clause gives flexibility within boundaries: flexible start and end times, a defined core window for collaboration, and a clear statement that maternity, sick and earned leave (including the 26 weeks of maternity benefit for the first two children under the Maternity Benefit Act) are unaffected by remote status.
Equipment, Reimbursement and Home Setup
This is where money and ownership questions live, so be specific. There is no statutory duty in India to fund a home office, which makes a clear, written stance even more important.
| Item | Typical approach | State in policy |
|---|---|---|
| Laptop / hardware | Company-issued and company-owned | Asset ownership and return on exit |
| Internet | Reimbursed against bill or fixed allowance | Amount, eligibility, claim process |
| Electricity | Part of a remote allowance, if any | Whether covered or not |
| Furniture / setup | One-time allowance or none | Cap and approval |
| Software / tools | Company-provided licences only | No unapproved software |
- Allowance vs reimbursement. A fixed monthly remote-work allowance is simpler to administer; reimbursement against bills is more precise. Pick one and document it.
- Asset register and return. Track company assets issued to each remote employee and require return on resignation or termination; tie this into your full-and-final settlement (including gratuity where five years of service is completed, at 15 days wages per year, capped at ₹20 lakh).
- Insurance and damage. State who bears the cost of loss or damage to company equipment at home, and require prompt reporting of any loss.
- Tax treatment. Note that reimbursements and allowances may have tax implications; ask employees to retain proofs and check current rules with payroll.
Data Security and Confidentiality
Data security is the highest-risk part of any work from home policy. Company and customer data now travels over home networks and sits on devices outside the office, so the controls have to be explicit. This is also where the DPDP Act 2023 and CERT-In rules bite.
- Approved devices only. Require company-issued or company-approved devices for work, with disk encryption and up-to-date antivirus and patches.
- Secure access. Mandate a VPN for internal systems, strong passwords and multi-factor authentication, and prohibit shared or public computers for company work.
- Data handling under DPDP. Personal data must be processed lawfully, with a valid basis and notice. Limit what data can be downloaded locally, and require it to be stored only in approved company systems.
- Clean desk and screen. Lock screens when away, keep confidential papers secured, and avoid working on sensitive data in public or shared spaces.
- Incident reporting. Require immediate reporting of any device loss, suspected breach or phishing. Align internal timelines with CERT-In’s six-hour cyber-incident reporting requirement and DPDP breach notification to the Data Protection Board.
- Standards. If you hold SOC 2 or ISO 27001, state that remote work must comply with the same controls so audits are not undermined.
Monitoring remote employees is allowed but must be reasonable, proportionate and disclosed. Under the DPDP Act 2023 you need a lawful basis and clear notice before processing employee data, so spell out exactly what is monitored (for example system access logs), why, and how long it is kept. Covert surveillance of the home environment is a serious risk and should be avoided.
Communication, Performance and Conduct
The final content block is about how people actually work together when they are apart. Good remote policies replace the implicit signals of an office with explicit norms.
- Tools and channels. Name the approved tools for chat, video and project tracking, and what each is used for, so communication does not scatter.
- Meeting cadence. Set a rhythm: a daily or weekly team check-in, a one-on-one cadence, and an expectation of cameras-on for key meetings if that is your norm.
- Performance by output. Measure results and deliverables, not hours logged or green dots. State the review cadence so remote staff are evaluated fairly.
- POSH and grievance. Make clear that the POSH policy, Internal Committee and grievance process apply fully to remote interactions, with the same 90-day inquiry standard and annual reporting.
- Conduct. The code of conduct, confidentiality and IP obligations continue unchanged at home.
- Acknowledgement. Require each employee to sign or e-acknowledge the policy, creating a clear record.
The best remote policies are short on surveillance and long on clarity: clear hours, clear tools, clear deliverables, and a clear statement that protections like POSH and the Maternity Benefit Act (including creche access where 50 or more employees) apply regardless of where someone sits.
How to Write Your Work From Home Policy, Step by Step
You do not need to start from a blank page. Here is the order we recommend, and the free template follows exactly this structure.
| Define scope and eligibility |
State the model (remote, hybrid or by exception), which roles qualify, the conditions, and how requests are approved.
| Set hours, availability and leave |
Define core hours, response expectations, attendance logging, and confirm the standard leave entitlements still apply.
| Cover equipment and reimbursement |
List what the company provides, what is reimbursed and at what amount, and who owns and insures the assets.
| Write the data security rules |
Specify approved devices, VPN, encryption, clean-desk habits, and align breach reporting with DPDP and CERT-In timelines.
| Add communication and performance norms |
Set the tools, meeting cadence and a measure-by-output principle, and confirm POSH and conduct rules apply remotely.
| Get sign-off and roll out |
Collect written acknowledgement, brief managers, and set a review date at least once a year, or sooner if the law changes.
“A work from home policy is not about controlling where people sit. It is about being explicit on the few things that cause disputes: hours, money, and data. Get those clear and the rest takes care of itself.”
Ankit Sarawagi, CFOmatrixFrequently Asked Questions
Is a work from home policy mandatory in India?
No single law requires a standalone work from home policy in India, but having one is strongly recommended. It removes ambiguity around hours, eligibility, equipment and data security, and helps you stay compliant with related laws such as the POSH Act 2013 (which applies to remote workplaces too), the DPDP Act 2023 for personal data, and your applicable State Shops and Establishments Act for working hours and leave.
What should a work from home policy include?
A complete work from home policy should cover scope and eligibility, working hours and availability, attendance and leave, equipment and reimbursement, data security and confidentiality, communication and performance expectations, health and safety, the POSH and grievance position for remote staff, and how the policy is approved and reviewed.
Does the company have to reimburse internet and electricity for remote work?
There is no statutory requirement in India to reimburse home internet or electricity, so it is a company decision the policy should state clearly. Many companies provide a fixed monthly remote-work allowance or reimburse internet against a bill. Whatever you choose, write the amount, the eligibility and the claim process into the policy so it is consistent and auditable.
Does the POSH Act apply to employees working from home?
Yes. The Sexual Harassment of Women at Workplace (POSH) Act 2013 extends to remote and online interactions connected to work, so harassment over chat, email or video calls is covered. Your Internal Committee (mandatory at 10 or more employees) and the 90-day inquiry process apply to remote staff, and the work from home policy should make that clear.
How do you handle data security in a work from home policy?
Require company-approved or company-issued devices, encryption, a VPN for internal systems, strong passwords with multi-factor authentication, and clean-desk and screen-lock habits at home. Align the rules with the DPDP Act 2023 for personal data and with CERT-In’s six-hour incident reporting timeline, so any breach or device loss is reported fast.
Can an employer monitor employees who work from home?
Monitoring is possible but must be reasonable, proportionate and disclosed. Under the DPDP Act 2023 you need a lawful basis and clear notice for processing employee data, so the policy should state what is monitored (for example system access logs or productivity tools), why, and how that data is used. Avoid covert surveillance of the home environment.
Where can I get a free work from home policy template?
CFOmatrix offers a free, India-ready work from home policy template in Word format that you can download and customise. It covers eligibility, hours, equipment and reimbursement, data security, communication and acknowledgement, and sits alongside our full library of 41 HR and finance policy templates.
This article is general information for India as of 2026 and is not legal advice. Employment, tax and data-protection laws change and vary by State; verify the current law and consult a qualified adviser before adopting or relying on any policy.
- All 41 HR & Finance Policy Templates (India)Policies & Templates · CFOmatrix
- Leave Policy: What to Include and a Free Template (India)Policies & Templates · CFOmatrix
- Data Protection Policy under the DPDP Act: Free Template (India)Policies & Templates · CFOmatrix
AS | Founder, CFOmatrix | Finance Strategy & Equity Compliance CFOmatrix is a knowledge platform focused on how finance actually works inside growing companies. Every insight is shaped by real operating experience across startups and growth-stage companies, including cross-border setups. |