SOC 2 TYPE 2 CERTIFICATION
CXO Nexus is SOC 2 Type 2 certified.
As more companies require reliability and visibility into their IT spend, there is an increasing demand to outsource AI and machine learning technologies that transform spend data quickly and at scale, to trust their data-driven decisions. Data-as-a-Service solutions require trust and transparency. For customers in highly regulated industries, this independent validation of security controls is critical.
System and Organization Control (SOC 2 Type 2) Reports are independent third-party examination reports that demonstrate how CXO Nexus achieves its compliance controls and objectives. CXO Nexus attests that its information security practices, policies, procedures, and operations meet the rigorous SOC 2 Type 2 standards for security, availability, confidentiality, processing integrity, and privacy.
SOC 2 Type 2 Report
CXO Nexus ensures customer data is protected using state-of-the-art technical controls throughout its service.
- Connection Security
- Data Segregation
- Network Security
- Disaster Recovery & Backup
CXO Nexus regularly conducts penetration testing and vulnerability scanning in order to ensure our systems are always maintained in a secure state. Penetration testing is conducted by leading third-party security firms. Summary reports for such third-party penetration testing and web application vulnerability scans are available upon request.
Please report any suspected malicious activity or potential undiscovered security vulnerabilities to firstname.lastname@example.org for immediate attention.
Confidentiality & InfoSec
CXO Nexus requires all employees and contractors to sign and abide by non-disclosure confidentiality agreements, and to comply with our information security policies.
CXO Nexus provides new hires training and ongoing training to all employees on our information security handling practices and policies. CXO Nexus developers are required to take specific secure coding practice training on an annual basis.
Access to Data
The principle of "least privilege" is followed and data is only accessible to authorized CXO Nexus personnel as required. Customer data is only disclosed to third parties in connection with the provision of services to you, and only in accordance with your Master Services Agreements with CXO Nexus.
Written Information SecurityProgram
Cybersecurity Program Overview
CXO Nexus is committed to protecting its employees, partners, clients and CXO Nexus from damaging acts that are intentional or unintentional. Effective security is a team effort involving the participation and support of every CXO Nexus user who interacts with data and information systems. Therefore, it is the responsibility of every user to know these policies and to conduct their activities accordingly.
Protecting company information and the systems that collect process, and maintain this information is of critical importance. Consequently, the security of information systems must include controls and safeguards to offset possible threats, as well as controls to ensure accountability, availability, integrity, and confidentiality of the data:
- Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is restricted to only authorized users and services.
- Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
- Availability – Availability addresses ensuring timely and reliable access to and use of information. Security measures must be taken to guard against unauthorized access to, alteration, disclosure or destruction of data and information systems. This also includes against accidental loss or destruction.
Scope & Applicability
These policies, standards, and procedures apply to all CXO Nexus data, information systems, activities, and assets owned, leased, controlled, or used by CXO Nexus, its agents, contractors, or other business partners on behalf of CXO Nexus. These policies, standards, and procedures apply to all CXO Nexus employees, contractors, sub-contractors, and their respective facilities supporting CXO Nexus business operations, wherever CXO Nexus data is stored or processed, including any third-party contracted by CXO Nexus to handle, process, transmit, store, or dispose of CXO Nexus data.
Some policies are explicitly stated for persons with a specific job function (e.g., a System Administrator); otherwise, all personnel supporting CXO Nexus business functions shall comply with the policies. CXO Nexus departments shall use these policies or may create a more restrictive policy, but not one that is less restrictive, less comprehensive, or less compliant than this policy.
These policies do not supersede any other applicable law, higher-level company directive or existing labor management agreement in effect as of the effective date of this policy.
CXO Nexus reserves the right to revoke, change, or supplement these policies, procedures, standards, and guidelines at any time without prior notice. Such changes shall be effective immediately upon approval by management, unless otherwise stated.
INFORMATION SECURITY POLICY STRUCTURE
1.0 Information Security Program Policy
CXO Nexus shall protect the confidentiality, integrity, and availability of its data and information systems, regardless of how its data is created, distributed, or stored. Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and sensitivity of the data and information system, in accordance with all legal obligations.
- Management Direction for Information Security
ORGANIZATION OF INFORMATION SECURITY - POLICY & STANDARDS
2.0 Information Security Organization Policy
CXO Nexus shall implement IT security program management controls to provide a foundation for CXO's Information Security Management System (ISMS).
- Mobile Devices and Teleworking
HUMAN RESOURCE SECURITY - POLICY & STANDARDS
3.0 Human Resource Security Policy
CXO Nexus shall ensure information security best practices are incorporated into Human Resources (HR) personnel management practices.
- Prior to Employment
- Termination and Change of Employment
ASSET MANAGEMENT - POLICY & STANDARDS
4.0 Asset Management Policy
CXO Nexus shall protect its assets and data by ensuring appropriate handling requirements are followed to prevent unauthorized disclosures, regardless if assets or data are being transmitted or stored.
- Responsibility for Assets
- Information Classification
- Media Handling
ACCESS CONTROL - POLICY & STANDARDS
5.0 Access Control Policy
CXO Nexus shall implement the principle of “least privilege” within logical access control mechanisms so that only authorized users to have access to CXO's information systems and data.
- Business Requirements of Access Control
- User Access Management
- User Responsibilities
- System and Application Access Control
ENCRYPTION - POLICY & STANDARDS
6.0 Cryptography Policy
CXO Nexus shall ensure appropriate cryptographic safeguards are in place to protect sensitive business data against loss, unauthorized access, or disclosure.
- Cryptographic Controls
PHYSICAL & ENVIRONMENTAL SECURITY - POLICY & STANDARDS
7.0 Physical and Environmental Security Policy
CXO Nexus shall ensure physical access controls are in place to limit physical access to authorized personnel and provide appropriate environmental controls to protect both data and information systems from environmental hazards.
- Secure Areas
OPERATIONS SECURITY - POLICY & STANDARDS
8.0 Operations Security Policy
CXO Nexus shall implement and maintain appropriate layers of safeguards to protect information systems from possible threats.
- Protection from Malware
- Logging and Monitoring
- Control of Operational Software
- Technical Vulnerability Management
- Information Systems Audit Considerations
COMMUNICATIONS SECURITY - POLICY & STANDARDS
9.0 Communications Security Policy
CXO Nexus shall employ industry-recognized leading practice principles that promote efficient and effective information security protections within information systems and the network.
- Network Security Management
- Information Transfer
SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE - POLICY & STANDARDS
10.0 System Acquisition, Development and Maintenance Policy
CXO Nexus shall ensure that application and system development employ adequate security measures during all phases of the System Development Life Cycle (SDLC) to ensure security-related risks are identified and remediated appropriately.
- Security Requirements of Information Systems
- Security in Development and Support Processes
TEST DATA VENDOR MANAGEMENT - POLICY & STANDARDS
11.0 Supplier Relationships Policy
CXO Nexus shall assess service providers to determine if IT security controls are effective. CXO Nexus must ensure service providers implement mechanisms to identify and remediate deficiencies or vulnerabilities on an ongoing basis, in order to ensure the continued effectiveness of IT security controls.
- Information Security in Supplier Relationships
- Supplier Service Delivery Management
INCIDENT RESPONSE - POLICY & STANDARDS
12.0 Information Security Incident Management Policy
CXO Nexus shall maintain an IT security incident handling capability that includes adequate preparation, detection, analysis, containment, recovery, and reporting activities.
- Management of Information Security Incidents and Improvements
BUSINESS CONTINUITY MANAGEMENT - POLICY & STANDARDS
13.0 Business Continuity Management Policy
CXO Nexus shall establish, implement, and maintain plans for the continuity of operations to ensure the availability of CXO's information resources during adverse conditions.
- Information Security Continuity
INFORMATION SECURITY COMPLIANCE - POLICY & STANDARDS
14.0 Compliance Policy
In accordance with all applicable legal requirements, CXO Nexus shall ensure appropriate safeguards are in place to protect sensitive business data against loss, unauthorized access, or disclosure.
- Compliance with Legal and Contractual Requirements
- Information Security Reviews
Do you have and maintain a security program or policy?
Yes, please see our public Security Program Overview - on this page, under the WISP (Written Information Security Program) tab.
Do you use MFA? (Multi-Factor Authentication)
Absolutely, It's a core part of CXO Nexus' information security
Are you patching your systems?
Yes, It is a core part of our defense-in-depth strategy.
Do you use encryption in transit and at rest?
Yes, we use secure TLS protocols & AES 256bit encryption
Do you store, process or transmit Personal or Private data?
Do you conduct Penetration testing and Vulnerability scans?