Security & Compliance@endsection SECURITY & COMPLIANCE OVERVIEW@endsection How we protect your data, end to end@endsection 1.0@endsection Security & Compliance — Headx Monitor
HomeTrust & Security
TRUST & COMPLIANCE

Encryption, access controls, India data residency, statutory alignment (IT Act 2000, RBI, IRDAI, SEBI) and how to report a vulnerability. The full trust posture of Headx Monitor in one place.

TLS 1.3 + AES-256 AWS Mumbai (ap-south-1) MFA + RBAC IT Act 2000 / RBI / IRDAI / SEBI ISO 27001 in progress SOC 2 Type 2 in progress
Request artefacts (NDA) Save as PDF Contact security
Last updated June 13, 2026 IST · Document version 1.0 · Reviewed quarterly
Encryption
TLS 1.3 + AES-256
In transit and at rest
Data residency
AWS Mumbai
ap-south-1 only · No cross-border replication
Access control
MFA + RBAC
5 default roles · Custom roles · IP allowlist
Breach notify
72 hours
DPDP Act 2023 aligned
Key management
AWS KMS / BYOK
Annual rotation
Vulnerability SLA
4h ack · 14d patch
security@headx.in · 24x7
Honest disclosure: ISO 27001 and SOC 2 Type 2 certifications are in progress (targets Q2 / Q3 2026). We do not claim either today. Customers requiring these certifications before purchase should ask sales for the latest audit timeline and interim attestation documents.

1 Data protection

Encryption in transit

All traffic between the Headx agent, dashboard, and backend uses TLS 1.3 with modern cipher suites. Older TLS versions are disabled. HSTS is enforced with a 1-year max-age on all customer-facing endpoints.

Encryption at rest

All data stored by Headx Cloud is encrypted at rest using AES-256. Database volumes are encrypted with AWS KMS-managed keys. Object storage (screenshots, recordings) is encrypted server-side. On-Premise installations use the same cipher; key management is delegated to the customer's chosen KMS or OS-level key store.

Key management

Cloud customer-keys are stored in AWS KMS with annual rotation. Customer-managed key (CMK / BYOK) support is available on On-Premise. JWT secrets, database credentials, and third-party API tokens are stored in a dedicated secrets manager — never in source control or environment variables exposed in logs.

2 Data residency

Cloud: All Headx Cloud data is hosted in AWS Mumbai (ap-south-1). No replication outside India. Backup snapshots also reside in ap-south-1. We do not use US, EU, or Singapore regions for production Cloud workloads.

On-Premise: Data resides exclusively on customer infrastructure. Headx engineers can access On-Premise systems only via customer-initiated screen-share sessions for support; we hold no copy of customer data.

This satisfies the data-localisation requirements of the RBI Master Direction on IT Outsourcing, IRDAI Information and Cyber Security Guidelines, and the SEBI Cybersecurity Framework.

3 Access controls

Customer-side

Multi-factor authentication available on every user account (TOTP and SMS). Role-based access control with five default roles (super admin, admin, manager, auditor, viewer) and the ability to define custom roles with granular permissions. Session timeouts configurable per company. IP allowlist available for the admin panel.

Headx-side

Headx employees have no default access to customer data. Privileged-access workflows require:

  • Explicit customer ticket or approval
  • SSO + hardware-key MFA
  • Time-boxed access (auto-revoked after the support session)
  • Full session recording of any access action
  • Audit-log entry shared with the customer afterwards

Background-verified employees only. Quarterly access reviews for all internal systems.

4 Agent (endpoint) security

The Windows agent is:

  • Code-signed with an Extended Validation certificate
  • Submitted to all major AV vendors for proactive false-positive prevention
  • Pinned-certificate communication to prevent MITM
  • Runs as a service under a dedicated low-privilege account where the OS allows
  • Reverse-tampering resistant — uninstall requires admin privilege and is audit-logged
  • Supports off-line buffering with encrypted queue if network is unavailable

See Security Architecture for the full technical breakdown.

5 Compliance frameworks

India statutory

FrameworkStatusNotes
IT Act 2000 (Section 43A) + 2008 amendment AlignedReasonable security practices implemented
IT (Reasonable Security Practices) Rules 2011 AlignedConsent, notice, retention, breach reporting
DPDP Act 2023 AlignedGranular consent flags ship today. Full status

Sector-specific

FrameworkSectorStatus
RBI Master Direction on IT Outsourcing (Apr 2023)Banks / NBFC Aligned
RBI Cyber Security Framework for Banks (Jun 2016)Banks Aligned
IRDAI Information & Cyber Security Guidelines (2017)Insurance Aligned
SEBI Cybersecurity & Cyber Resilience Framework (Aug 2022)Capital markets Aligned
NDHM / DISHA (draft)Healthcare Incorporated

International (alignment, not yet certified)

FrameworkStatusTarget
ISO 27001:2022 In progressQ2 2026 certification. Full status
SOC 2 Type 2 In progressQ3 2026 audit
GDPR (Article 28 DPA) AvailableFor EU-HQ customers with Indian operations

6 Reporting a vulnerability

If you discover a security vulnerability in Headx, please report it to security@headx.in with:

  • A description of the issue and reproduction steps
  • Affected endpoint or page
  • Severity assessment (your view)
  • Any proof-of-concept code (please do not include real customer data)

Our SLA

StageTimeline
AcknowledgementWithin 4 hours (24x7)
ConfirmationWithin 48 hours
Patch (high severity)Within 14 days
Public creditOn request, after fix is deployed
Please do not: publicly disclose the issue before we have responded, attempt to access customer data not your own, or DDoS production systems as part of testing.

7 Incident response and notification

Headx maintains a documented incident response runbook with the following commitments:

  • Detection — 24x7 monitoring with alerting on anomalous infrastructure activity
  • Containment — within 2 hours of confirmed incident
  • Customer notification — affected customers notified within 72 hours of confirmation (DPDP Act 2023 alignment)
  • Public disclosure — within 30 days of resolution if customer data was affected
  • Post-mortem — published to affected customers within 30 days of resolution

8 Sub-processors and data flows

For Cloud customers, the following sub-processors handle data on our behalf:

Sub-processorPurposeLocation
Amazon Web Services (AWS)Compute, storage, databaseMumbai, India (ap-south-1)
CloudflareCDN, DDoS protection, WAFGlobal edge (data does not leave India for processing)
Cashfree PaymentsPayment processingIndia
RazorpayPayment processing (alternative)India
Postmark / ResendTransactional emailUS (no customer activity data shared)

On-Premise customers have zero sub-processors — all data flows are inside the customer's own infrastructure.

9 Audits and assurance

Available to customers under NDA, typically within 24 hours of request:

  • Penetration test summary (latest: Q1 2026, conducted by external firm)
  • Security questionnaire responses (SIG, CAIQ, customer-specific)
  • Data Processing Agreement (DPA) signed by our authorised signatory
  • Sub-processor list with annual review
  • Incident response playbook (redacted)

Related documents

Request via security@headx.in or sales@headx.in.

Need detailed audit evidence or a signed DPA?

The full Statement of Applicability, latest penetration-test summary, sub-processor register with annual review records, and pre-filled CAIQ / SIG questionnaires are available under NDA — typically within 24 hours (IST business days).

Request artefacts Talk to sales