Security Practices Disclosure

1. Security Governance

Vexor’s security program is governed by a structured leadership model involving cross-functional teams responsible for risk management, compliance, and operational oversight.

• Chief Information Security Officer (CISO): Oversees security strategy, governance, and audits.
• Security & Infrastructure Team: Manages network, system hardening, and platform defenses.
• Incident Response Team (IRT): Leads containment and remediation during security events.
• Privacy & Legal Office: Ensures compliance with GDPR, CCPA, and global data laws.

2. Risk Management & Compliance

We maintain a comprehensive risk management framework designed to proactively identify, quantify, and mitigate security threats.

• Routine security risk assessments and threat modeling exercises
• Third-party vendor security assessments and contractual controls
• Compliance mapping to GDPR, CCPA, PIPEDA, and ISO-aligned best practices
• Annual external penetration testing and security audits

3. Infrastructure & Network Security

Vexor’s infrastructure is built with robust, layered controls to prevent unauthorized access and ensure high system resilience.

• Cloud Security: Hardened cloud environments using certified providers (ISO 27001 / SOC 2).
• Network Segmentation: Distinct and isolated networks for production, staging, and development.
• Perimeter Security: Firewalls, WAFs, bot detection, and DDoS mitigation.
• Secure Internal Access: VPN enforcement and IP-restricted administrative portals.

4. Application & Data Security

Vexor integrates security into every phase of application design, development, deployment, and maintenance.

• Secure Development Lifecycle (SDLC): Mandatory security reviews tied to engineering processes.
• Static & Dynamic Testing: SAST/DAST scanning within CI/CD pipelines.
• Data Encryption: TLS 1.3 for in-transit data; AES-256 for data at rest.
• Secrets Management: Automated key rotation and hardened secret vaults.
• Rigorous validation and encoding against XSS, SQLi, CSRF, and injection attacks.
• Automated vulnerability scanning for third-party libraries and dependencies.

5. Identity & Access Management (IAM)

Robust IAM policies control and monitor internal and administrative access.

• Role-Based Access Control (RBAC) aligned with least-privilege principles
• Mandatory multi-factor authentication for privileged accounts
• Single Sign-On (SSO) where technically supported
• Periodic privileged access audits and automated revocation workflows

6. Data Protection & Privacy

Data privacy and confidentiality underpin every aspect of our architecture.

• Data minimization and privacy-by-design methodologies
• Strict encryption protocols for user PII and financial data
• Separation of personally identifiable data from content storage systems
• Continuous monitoring for unauthorized access to sensitive information

7. Monitoring, Detection & Logging

Vexor deploys advanced monitoring technologies and centralized intelligence systems.

• Centralized SIEM for real-time threat detection and correlation
• Behavioral analytics for anomaly detection and fraud prevention
• Comprehensive audit logs for investigative and compliance purposes
• Automated alerts on suspicious activity, credential abuse, and compromise attempts

8. Incident Response & Notification

Our Incident Response Plan (IRP) ensures efficient management of live threats and fast communication to users and regulators.

• Detection & Triage: AI-driven and manual alert analysis.
• Containment: Isolation of compromised systems or accounts.
• Eradication & Recovery: Removal of malicious artifacts and restoration from clean backups.
• Root Cause & Post-Incident Review: Detailed reporting and remediation planning.
• Notification: GDPR-compliant breach notifications within 72 hours.

9. Backups & Business Continuity

Vexor ensures operational resilience through strict continuity and disaster-recovery controls.

• Regular encrypted offsite backups
• Geographically redundant data storage
• Disaster recovery simulations and failover testing

10. Penetration Testing & Third-Party Assessments

Vexor partners with independent specialists for continuous assurance.

• Annual penetration tests
• Red-team offensive security operations
• Vendor and supply-chain risk audits
• Cloud and infrastructure validation assessments

11. Secure Development & DevSecOps

Security is fully integrated into our engineering culture.

• Automated pre-merge security checks
• Code signing and container image verification
• Continuous scanning of build artifacts
• Automated rollback triggers upon detecting anomalous deployments

12. Physical Security

For any physical locations or on-prem equipment, Vexor uses industry-standard protections.

• ISO-certified data centers with controlled access
• CCTV, badge access, and event logs
• Environmental controls (power redundancy, fire suppression, climate systems)

13. Employee Security & Training

People are a critical part of our security strategy.

• Background checks for relevant roles
• Mandatory annual security awareness training
• Phishing simulations and targeted drills
• Strict device management and endpoint protection policies

14. Vendor & Third-Party Risk Management

• Security questionnaires and vendor assessment workflows
• Contractual obligations for breach notifications and data protection
• Encryption and access restrictions for integrated third-party processors
• Periodic re-evaluation of vendor security posture

15. Responsible Disclosure & Bug Bounty

Vexor welcomes security researchers who follow responsible disclosure practices.

• Dedicated security reporting channel: security@vexor.to
• Non-adversarial, collaborative disclosure process
• Recognition and potential rewards for validated vulnerability reports
• Clear scope and testing rules to prevent service disruption

16. Privacy & Data Subject Requests

Security and privacy teams collaborate closely to support GDPR and global user rights.

• Secure workflows for data access, correction, and deletion requests
• Identity verification prior to personal data disclosures
• Auditable processes for privacy compliance

17. Metrics & Transparency

Vexor publishes security-related transparency metrics when possible, including:

• Number of vulnerabilities reported and resolved
• Frequency and scope of external audits
• Incident response resolution timelines
• Penetration testing summaries

18. Contact & Escalation

For security issues or compliance inquiries:

• Security Team: security@vexor.to
• Incident Response: irt@vexor.to
• Legal / Compliance: legal@vexor.to

19. Updates to This Disclosure

Vexor regularly updates this Security Practices Disclosure to reflect new systems, certifications, technologies, and regulations. Material updates will be published with documented revision dates to ensure full transparency.