Yes. Cetbix uses carefully selected subprocessors for infrastructure, monitoring, and communication services.

Access is restricted and granted only when necessary for support or operational purposes. All access is logged and audited.

Yes. Customers can request access to restricted documents through the Trust Center access request process.

Yes. Cetbix is designed to comply with GDPR requirements including data minimization, lawful processing, and user rights management.

Yes. Cetbix maintains a disaster recovery and business continuity plan designed to ensure service resilience.

Yes. Cetbix performs regular, automated backups of customer data and platform‑critical systems as part of its backup and contingency‑planning controls.

Backups are designed to support:

• Data integrity and recovery in the event of system failures, corruption, or security incidents.
• Disaster‑recovery objectives, with documented procedures to restore data and services within defined timeframes.

Backup data is stored securely, with access restricted to authorised personnel, and is included in Cetbix’s technical and organisational measures to maintain availability and protect against data loss.

Yes. Cetbix undergoes regular third-party penetration testing, and findings are reviewed and remediated based on severity.

No. Cetbix does not sell, rent, or share customer data with third parties for commercial purposes.

Cetbix aligns its security controls with relevant industry frameworks and continuously evolves its compliance posture based on regulatory requirements.

SOC 2 alignment is part of Cetbix’s compliance roadmap. Customers can request supporting security documentation through the Trust Center.

Yes. Cetbix supports Single Sign‑On (SSO) to allow your users to authenticate through your organisation’s identity provider (for example, Microsoft Entra ID / Azure AD, Google or other SAML‑based Identity Providers) instead of managing separate Cetbix usernames and passwords.

SSO simplifies user access, enforces your corporate authentication and password policies, and helps reduce the risk of weak or reused credentials. If your organisation requests it, Cetbix can configure SSO for your instance and document the integration steps and supported protocols (typically SAML‑based SSO or equivalent standards).

Yes. Cetbix uses carefully selected subprocessors for infrastructure, monitoring, and communication services.

Cetbix follows a structured vulnerability management process:

• Detection via automated tools and testing
• Risk classification
• Timely remediation
• Verification and closure

Security issues can be reported to:

• security@cetbix.com

Use the “Request Access” form on the Trust Center to submit your request. Access is granted based on verification and need.

Cetbix maintains an incident response plan that includes:

• Detection and containment
• Impact assessment
• Customer notification (if applicable)
• Root cause analysis
• Preventive measures

Cetbix manages Information Technology (IT) and Operational Technology (OT) asset data through a structured, centralised inventory and monitoring approach, primarily via Cetbix Sentinel and the Cetbix GRC platform.

Key aspects of how IT/OT asset data is handled:

• Discovery and inventory – Cetbix conducts automated network scans to discover IT/OT systems, including industrial devices, controllers, and network‑connected equipment, then catalogues them with attributes such as IP, hostname, role, OS, and software stack.
• Asset classification and tagging – IT/OT assets are classified (e.g., critical vs non‑critical) and labelled according to the organisation’s information‑classification scheme, so that data can be prioritised for risk‑management and compliance.
• Centralised data inventory – All asset‑related data is stored in a centralised inventory that supports risk‑based decision‑making, regulatory reporting, and audit readiness by providing a clear view of which assets process which data.
• Security and compliance linkage – Cetbix links IT/OT asset data to security controls, vulnerabilities, licence status, and compliance requirements, enabling continuous monitoring, patch‑management priorities, and incident‑response context for industrial environments.
• Data protection and governance – IT/OT asset data is handled in line with Cetbix’s technical and organisational security measures, including encryption, access controls, and audit logging, so that inventory information remains accurate, secure, and available for authorised users only.

If you want, I can next turn this into a short “IT/OT‑specific” trust‑page section you can place under “Security and Compliance Across All Cetbix Products”.

Customer data is protected using:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256 or equivalent)
• Strict role-based access control
• Continuous security monitoring

Access is strictly role-based and follows least-privilege principles. Access is granted only to authorized personnel and reviewed regularly.

Data retention is defined by customer contracts and legal requirements. Customers can request deletion in accordance with applicable laws.

Customers are notified in accordance with contractual obligations and legal requirements, depending on severity and impact.

Currently, in progress.

Yes. Cetbix encrypts customer data both in transit and at rest to protect confidentiality and integrity.

• In transit: All data sent between you and the Cetbix platform is encrypted using modern TLS protocols, ensuring that information cannot be intercepted or read during transmission.
• At rest: Data stored in Cetbix systems is encrypted using industry‑standard cryptographic controls, with strict access controls and key‑management practices to limit who can decrypt it.

These measures are part of our broader technical and organisational security practices, designed to keep your data secure while still enabling you to access and manage it through the platform.

Cetbix may time to time operate a responsible disclosure program where security researchers can report vulnerabilities safely.

Cetbix holds or supports the following key certifications and compliance frameworks for its platform and services:

• ISO 27001 – Cetbix operates an ISO 27001‑aligned Information Security Management System (ISMS) for its platform and core services, with certification currenrly in progress.
• GDPR compliance – Cetbix provides GDPR‑compliant data‑processing services, including Data Processing Agreements (DPAs) and documented technical and organisational measures.
• NIS2‑aligned practices – The platform is designed to support customers in meeting NIS2‑related security and incident‑reporting obligations through its risk‑management and incident‑response capabilities.
• Industry‑specific and regional standards – Cetbix helps customers map to frameworks such as TISAX, NIST, IATF, and other sector‑specific standards through its GRC and ISMS modules, even when the certification itself is held by the customer rather than the platform vendor.

Cetbix maintains monitoring and incident response processes. Critical incidents are triaged immediately, and customers are informed through defined communication channels.

Cetbix follows a defense-in-depth security model built on ISO 27001 principles, including access control, encryption, monitoring, and continuous risk management.

Cetbix defines a Recovery Time Objective (RTO) for data restoration that targets service restoration within a defined window following an incident or disruption, typically in the range of hours rather than days, depending on the workload and customer‑specific arrangements.

In practice, this means that where possible, Cetbix aims to restore critical platform services and customer‑accessible data to a functional state within a few hours after a significant incident, supported by regular backups, tested disaster‑recovery procedures, and resilient infrastructure.

Exact RTO values can vary by deployment and contract, so enterprise customers are encouraged to review their specific SLAs or request RTO/RPO details for their environment from the Cetbix security or customer‑success team.

Cetbix conducts structured disaster recovery (DR) testing to validate that our platform and critical services can be restored within defined timeframes. Specific procedures include:

• Regular DR test cycles – Planned disaster recovery exercises are run periodically (typically at least annually, with smaller walk‑throughs or partial tests more frequently) to ensure that backup and recovery processes remain current.
• Scenario‑based failover tests – Simulated incidents such as data‑centre outages, infrastructure failures, or major service disruptions are used to test failover to backup systems and recovery of databases and application layers.
• RTO/RPO validation – During tests, Cetbix measures how long it takes to restore services (RTO) and how much data loss is acceptable (RPO), then uses those results to refine backup schedules, recovery playbooks, and resource allocation.
• Controlled‑environment execution – Tests are performed in isolated or non‑production environments where possible, to avoid impact on live customer workloads while still validating real‑world recovery steps.
• Documentation and post‑test reviews – All test steps, results, and any issues are recorded, and a formal review follows each test to update the disaster recovery plan, close gaps, and align with evolving infrastructure and threat models.

Cetbix supports SAML 2.0 as the core SAML protocol for Single Sign‑On integrations. This is the current industry standard for federated authentication and is compatible with most modern Identity Providers, such as Microsoft Entra ID (Azure AD), Okta, OneLogin, and similar platforms.

Within SAML 2.0, Cetbix typically uses:

• SP‑initiated and IdP‑initiated login flows, so users can start from either your corporate login portal or the Cetbix sign‑in page.
• HTTP‑Redirect and HTTP‑POST bindings for SAML requests and responses.
• Metadata‑based integration (XML metadata file) to exchange certificates, endpoints, and entity identifiers with your Identity Provider.

A full and updated list of subprocessors is available in the Subprocessors section of the Trust Center.

Cetbix hosts customer data in secure, ISO 27001‑certified data centres located in Germany (EU). All data is physically stored within European co‑location facilities that meet strict security and compliance standards, helping us support GDPR and other regional data‑protection requirements.

Access to these facilities is tightly controlled, and infrastructure is designed to ensure high availability, resilience, and protection against unauthorised access. For most customers, this means your data remains in the EU and is not transferred to jurisdictions outside of GDPR‑aligned regions unless explicitly required and agreed as part of your contractual arrangement.