This Security Policy describes the technical and organizational measures CXSense implements to protect Customer Data processed through its Services. It applies to all systems, infrastructure, and personnel involved in delivering the Services.
1. Roles & Responsibilities
CXSense maintains a designated Security Officer and security team responsible for implementing and overseeing this Security Policy. All employees, contractors, and subprocessors must adhere to the security requirements described herein.
2. Compliance & Standards
CXSense aligns its security program with industry best practices and relevant standards, including (as applicable):
SOC 2 Type II
ISO/IEC 27001
GDPR Article 32 security requirements
CCPA security provisions
Physical security of data centres is provided by our cloud providers ([AWS/GCP/Azure]).
3. Data Classification
CXSense classifies data into three categories:
Public Data: May be disclosed without restriction.
Confidential Data: Internal business data requiring limited access.
Customer Data: Data submitted by or for customers to the Services, subject to the highest level of protection.
4. Access Control
All production systems use role-based access controls (RBAC) and the principle of least privilege.
Access rights are reviewed at least quarterly and revoked promptly upon personnel changes.
5. Encryption
In Transit: Customer Data is encrypted using TLS 1.2 or higher.
At Rest: Customer Data is encrypted using AES-256 or stronger encryption.
Encryption keys are managed securely with restricted access.
6. Network Security
Production systems are hosted in isolated virtual private networks (VPCs).
Firewalls and security groups restrict inbound and outbound traffic to necessary ports.
Intrusion detection and prevention systems monitor network traffic for malicious activity.
7. Application Security
Secure development lifecycle practices are followed, including code reviews and automated security testing.
Third-party libraries are monitored for vulnerabilities.
Periodic penetration tests are performed by qualified external testers.
8. Monitoring & Logging
Security events and system activity are logged and retained according to our retention policy.
Logs are monitored for unusual or unauthorized activity.
Alerts are generated for critical security events.
9. Incident Response
CXSense maintains a documented incident response plan to detect, investigate, and remediate security incidents.
We will notify affected customers without undue delay and within 72 hours of becoming aware of a breach of Customer Data, in accordance with applicable law.
10. Data Retention & Disposal
Customer Data is retained only as long as necessary to provide the Services or as required by law.
Upon contract termination or at customer request, Customer Data is deleted within [X] days unless a longer retention period is legally required.
Data is securely deleted from storage and backups according to our disposal procedures.
11. Business Continuity & Disaster Recovery
Regular backups are performed and stored securely in geographically redundant locations.
Disaster recovery plans define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems.
Business continuity and disaster recovery plans are tested at least annually.
12. Physical Security
Physical access to production systems is managed by our cloud providers (AWS/GCP/Azure) and is subject to their own audited security controls.
CXSense does not maintain on-premise servers that store Customer Data.
13. Third-Party Management
Subprocessors are vetted for security practices before engagement.
All subprocessors sign data protection and confidentiality agreements.
A current list of subprocessors is available at [Insert URL].
14. Employee Security
All employees sign confidentiality agreements and undergo background checks where permitted by law.
Security awareness training is provided at onboarding and annually thereafter.
Access to Customer Data is restricted to personnel with a business need.
15. Updates to This Policy
CXSense may update this Security Policy from time to time. We will notify customers of material changes via email or our admin console.
16. Contact
For security questions or incident reports, contact: