Security

Our approach to security

ConsentX exists to help organisations record and prove consent, so the integrity and confidentiality of that evidence is the heart of our product. We design for defence in depth, least privilege, and the principle that consent evidence should be provable rather than merely stored. We prefer to claim only what is true today and to be transparent about the rest. You can follow our compliance journey on our trust posture page.

Data encryption

Data is encrypted in transit using TLS between your browser, our edge, and our application. Data at rest is encrypted using the storage-layer encryption provided by our cloud infrastructure on Amazon Web Services. This covers the consent data store and the supporting volumes and backups.

Access control and least privilege

Access to production systems is restricted on a least-privilege basis, granted only to the people who need it for their role, and protected with multi-factor authentication. Within the product, administrative accounts can enrol in TOTP-based multi-factor authentication, and customer accounts support single sign-on. Administrative and security-relevant actions are recorded in audit logs so that activity can be reviewed and attributed.

Network and infrastructure security

The ConsentX application runs on Amazon Web Services in the Asia Pacific Mumbai region. Our edge is protected by Cloudflare, including a web application firewall and DDoS mitigation, and origin access is locked down so that traffic reaches our infrastructure through controlled paths. We use network segmentation and security groups to limit the blast radius of any single component and to keep data stores off the public internet.

Application security and secure development

Security is built into how we develop the product. We follow secure development practices, including code review and automated checks in our pipeline. We manage our dependencies actively, monitor them for known vulnerabilities, and apply updates on a risk-prioritised basis. Findings from automated scanning and from disclosures are triaged and remediated according to severity.

Consent integrity

Every consent record is bound into a per-record SHA-256 hash chain. Each record incorporates a hash of the record before it, so any later change to a stored record breaks the chain and is detectable. Integrity can be verified independently, which means your audit evidence is tamper-evident and provable rather than merely stored.

Monitoring and incident response

We monitor our systems for security-relevant events and maintain an incident response process so that we can detect, contain, and remediate issues. In the event of a personal data breach, we will notify affected customers in accordance with the obligations set out in our Data Processing Addendum and applicable law. To report a suspected security incident, contact security@consentx.io.

Backups and business continuity

We take regular backups of the consent data store, and those backups are encrypted at rest. Our business continuity approach is designed to allow us to restore service and data following a disruption, and we keep our recovery procedures under review as the platform evolves.

Data residency

The ConsentX application and its consent data store are hosted on Amazon Web Services in the Asia Pacific Mumbai region in India. Where personal data is transferred outside the European Economic Area or the United Kingdom, we rely on Standard Contractual Clauses with the United Kingdom Addendum and on the EU-US Data Privacy Framework where the receiving organisation is certified. For the full list of providers, see our subprocessors page.

Certifications and compliance roadmap

We are deliberate about what we claim. ConsentX does not currently hold SOC 2 or ISO 27001 certification, and we will not assert either until it is independently verified. Both are on our roadmap, and we will publish their status on our trust posture page when there is something concrete to report. The controls described on this page are true of the product today.

• Tamper-evident consent evidence. Per-record SHA-256 hash chain with independent integrity verification.
• Encryption in transit and at rest. TLS in transit and storage-layer encryption at rest, including backups.
• Least-privilege access with MFA. Production access is restricted and protected with multi-factor authentication, and the product offers TOTP MFA for administrators.
• Hosted on AWS behind Cloudflare. Application on Amazon Web Services in Mumbai, with a Cloudflare web application firewall and DDoS mitigation at the edge.
• Signed DPA available. A Data Processing Addendum is available so your legal team has the contract it needs.
• Public subprocessor list. We publish the providers in our supply chain on our subprocessors page.

Responsible disclosure

If you believe you have found a security issue, please report it to security@consentx.io with steps to reproduce. Our machine-readable policy is published at /.well-known/security.txt. We appreciate coordinated disclosure, we will work with you to confirm and resolve valid reports, and we ask that you do not disclose publicly until we have confirmed a fix.

Contact

For security questions or to request our security package, contact security@consentx.io. For privacy and data protection questions, contact privacy@consentx.io. For United Kingdom and European Union data protection matters, our Article 27 Representative is IntelligenceX, reachable through intelligencex.org.