Yes. Cetbix uses carefully selected subprocessors for infrastructure, monitoring, and communication services.
No! All customer data is encrypted at the database level. Due to this encryption, customer data cannot be viewed, read, or interpreted in its stored form by any individual, including Cetbix employees. Without the corresponding decryption keys—access to which is strictly controlled and not available to employees—the data remains unintelligible.
Cetbix employees do not have credentials that permit access to customer accounts and are strictly prohibited from accessing, retrieving, or viewing customer data except where explicitly authorized in writing by the customer for approved support or operational purposes. Any such access is limited in scope, granted only on a need-to-know basis, and subject to a valid nondisclosure agreement signed by the relevant employee. All authorized access is restricted to the minimum necessary level required to perform the requested services and is fully logged, continuously monitored, and periodically audited by independent reviewers to ensure accountability, security, and compliance with applicable legal, contractual, and regulatory obligations.
Yes. Customers can request access to restricted documents through the Trust Center access request process.
Yes. Cetbix is designed to comply with GDPR requirements including data minimization, lawful processing, and user rights management.
Yes. Cetbix maintains a disaster recovery and business continuity plan designed to ensure service resilience.
Yes. Cetbix performs regular, automated backups of customer data and platform‑critical systems as part of its backup and contingency‑planning controls.
Backups are designed to support:
- Data integrity and recovery in the event of system failures, corruption, or security incidents.
- Disaster‑recovery objectives, with documented procedures to restore data and services within defined timeframes.
Backup data is stored securely, with access restricted to authorised personnel, and is included in Cetbix’s technical and organisational measures to maintain availability and protect against data loss.
Yes. Cetbix undergoes regular third-party penetration testing, and findings are reviewed and remediated based on severity.
No. Cetbix does not sell, rent, or share customer data with third parties for commercial purposes.
Cetbix aligns its security controls with relevant industry frameworks and continuously evolves its compliance posture based on regulatory requirements.
SOC 2 alignment is part of Cetbix’s compliance roadmap. Customers can request supporting security documentation through the Trust Center.
Yes. Cetbix supports Single Sign‑On (SSO) to allow your users to authenticate through your organisation’s identity provider (for example, Microsoft Entra ID / Azure AD, Google or other SAML‑based Identity Providers) instead of managing separate Cetbix usernames and passwords.
SSO simplifies user access, enforces your corporate authentication and password policies, and helps reduce the risk of weak or reused credentials. If your organisation requests it, Cetbix can configure SSO for your instance and document the integration steps and supported protocols (typically SAML‑based SSO or equivalent standards).
Yes. Cetbix uses carefully selected subprocessors for infrastructure, monitoring, and communication services.
Cetbix follows a structured vulnerability management process:
- Detection via automated tools and testing
- Risk classification
- Timely remediation
- Verification and closure
Security issues can be reported to:
security@cetbix.com
Use the “Request Access” form on the Trust Center to submit your request. Access is granted based on verification and need.
Cetbix maintains an incident response plan that includes:
- Detection and containment
- Impact assessment
- Customer notification (if applicable)
- Root cause analysis
- Preventive measures
Customer data is protected using:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256 or equivalent)
- Strict role-based access control
- Continuous security monitoring
Access is strictly role-based and follows least-privilege principles. Access is granted only to authorized personnel and reviewed regularly.
Data retention is defined by customer contracts and legal requirements. Customers can request deletion in accordance with applicable laws.
Customers are notified in accordance with contractual obligations and legal requirements, depending on severity and impact.
Cetbix may time to time operate a responsible disclosure program where security researchers can report vulnerabilities safely.
Cetbix maintains monitoring and incident response processes. Critical incidents are triaged immediately, and customers are informed through defined communication channels.
Cetbix follows a defense-in-depth security model built on ISO 27001 principles, including access control, encryption, monitoring, and continuous risk management.
Cetbix supports SAML 2.0 as the core SAML protocol for Single Sign‑On integrations. This is the current industry standard for federated authentication and is compatible with most modern Identity Providers, such as Microsoft Entra ID (Azure AD), Okta, OneLogin, and similar platforms.
Within SAML 2.0, Cetbix typically uses:
- SP‑initiated and IdP‑initiated login flows, so users can start from either your corporate login portal or the Cetbix sign‑in page.
- HTTP‑Redirect and HTTP‑POST bindings for SAML requests and responses.
- Metadata‑based integration (XML metadata file) to exchange certificates, endpoints, and entity identifiers with your Identity Provider.
A full and updated list of subprocessors is available in the Subprocessors section of the Trust Center.
Cetbix hosts customer data in secure, ISO 27001‑certified data centres located in Germany (EU). All data is physically stored within European co‑location facilities that meet strict security and compliance standards, helping us support GDPR and other regional data‑protection requirements.
Access to these facilities is tightly controlled, and infrastructure is designed to ensure high availability, resilience, and protection against unauthorised access. For most customers, this means your data remains in the EU and is not transferred to jurisdictions outside of GDPR‑aligned regions unless explicitly required and agreed as part of your contractual arrangement.