Organisation and project isolation
Customer data is scoped to organisation and project boundaries. Evidence, assessments, users, and review history remain separated so teams only access the workspaces they are authorised to use.
Security built for sensitive assurance work
CyConex is designed for organisations handling sensitive policies, audit evidence, and compliance assessments. Security is embedded across tenant boundaries, access control, data handling, and how the platform is built and operated.
Platform security characteristics
Core controls that protect customer evidence, assessments, and assurance outputs.
Role-based access control
Access is managed through role-based permissions at organisation and project level. Administrators control who can ingest evidence, run assessments, review outputs, and manage configuration.
Strong authentication
CyConex supports hosted identity with multi-factor authentication patterns, helping organisations enforce consistent sign-in controls for users accessing assurance workspaces.
Encryption in transit and at rest
Data is protected in transit using TLS. Evidence and platform data are stored with encryption at rest, reducing exposure if underlying storage media is accessed outside normal application controls.
Audit logging and accountability
Platform activity is recorded to support traceability — including evidence changes, assessment runs, and administrative actions — so assurance teams can demonstrate who did what, and when.
Auditable AI usage
AI-assisted review is designed to remain accountable. Agent activity, assessment reasoning, and human validation steps are retained so automated outputs can be challenged, reviewed, and defended.
Controlled evidence handling
Evidence ingestion, processing, and retention follow scoped library controls. Documents uploaded or connected from external sources remain tied to the organisation and projects that own them.
Operational security controls
Production environments are managed with restricted administrative access, monitored infrastructure, and change-controlled deployment processes to reduce the risk of unauthorised modification.
UK data residency
CyConex is hosted in the United Kingdom so customer evidence, assessment data, and platform metadata remain within UK jurisdiction.
CyConex production services are hosted in UK Azure regions. Customer evidence, assessment outputs, configuration data, and associated platform metadata processed by the service are stored and processed within the United Kingdom unless you explicitly agree otherwise in writing.
This supports organisations with UK data residency requirements — including public sector assurance programmes, regulated operators, and teams preparing for NCSC CAF, GovAssure, or NIS-related assurance activity.
Backups, logs, and operational telemetry required to run the service are also maintained within UK-hosted infrastructure. CyConex does not move customer content to overseas regions for routine processing.
If your organisation requires additional contractual assurances, data processing terms, or sub-processor information, contact us and we will provide the documentation needed for your procurement or security review.
Secure development
CyConex is engineered using secure development practices so security is considered throughout design, implementation, testing, and release — not added after the fact.
Security requirements are considered from the earliest design stage. Features that handle evidence, assessments, identity, or AI-assisted outputs are reviewed for access control, data handling, and traceability before they reach production.
Development follows controlled source management, peer review, and automated build and deployment pipelines. Changes are tested before release and deployed through repeatable processes that reduce manual configuration risk.
Dependencies and application components are maintained and updated as part of ongoing development. Known vulnerabilities are triaged and remediated according to severity and exposure.
Production access is limited to authorised personnel. Separation between development, staging, and production environments helps prevent uncontrolled changes to live customer data.
Security by design
New capabilities are assessed for tenant isolation, least-privilege access, and evidence handling before implementation.
Peer review and quality gates
Code changes are reviewed and validated through automated build, test, and deployment workflows before reaching production.
Dependency and vulnerability management
Third-party libraries and platform components are tracked and updated to address known security issues.
Environment separation
Development, staging, and production environments are separated to limit the risk of test activity affecting live customer data.
Least-privilege operations
Administrative access to production systems is restricted, logged, and granted only where operationally necessary.
Monitoring and incident readiness
Operational monitoring supports detection of abnormal activity and structured response when security or availability issues arise.
Need detailed security documentation?
Contact us for security questionnaires, data processing information, or procurement support.
Security capabilities described on this page reflect the current design and development direction of CyConex. Specific controls, certifications, and contractual terms may vary by deployment and commercial agreement. Contact us for detailed security documentation.