This Security Policy describes the technical and organizational measures Inzata maintains to protect the confidentiality, integrity, and availability of customer data and platform systems. These controls apply to all Inzata services and infrastructure.
| Encryption (at rest) | AES-256 |
| Encryption (in transit) | TLS 1.3 |
| MFA | Required for all production system access |
| Access reviews | Quarterly |
| Critical vuln. SLA | Remediation within 24 hours |
| High-severity vuln. SLA | Remediation within 7 days |
| Incident notification | Within 72 hours of confirmed incident |
| Employee training | Annual security awareness training |
| Frameworks | SOC 2, ISO 27001, NIST |
1. Information Security Program
Inzata maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer data. Our program is aligned with industry-recognized frameworks including:
- SOC 2 (Service Organization Control 2).
- ISO 27001 - International Standard for Information Security Management.
- NIST Cybersecurity Framework.
2. Data Protection
- All customer data is encrypted at rest using AES-256 encryption.
- All data in transit is protected using TLS 1.3.
- Data is stored in SOC 2 compliant data centers.
- Redundant backups are maintained with tested disaster recovery capabilities.
Backup integrity is verified regularly and recovery procedures are tested to ensure data can be restored within defined recovery time objectives.
3. Access Control
- Role-based access control (RBAC) is applied across all systems and environments.
- Multi-factor authentication (MFA) is required for all access to production systems.
- Access rights are provisioned based on job function and reviewed quarterly.
- Privileged access is logged, monitored, and subject to additional controls.
- Access is revoked promptly upon employee departure or role change.
4. Incident Response
- Detection: Continuous monitoring and alerting to identify potential security events.
- Containment: Rapid isolation of affected systems to limit the scope of impact.
- Eradication: Identification and removal of the root cause.
- Recovery: Restoration of affected systems and verification of integrity.
- Post-incident review: Analysis of lessons learned and implementation of improvements.
Customers are notified of confirmed security incidents affecting their data within 72 hours, in accordance with applicable regulations. Notification details are further described in the Data Processing Addendum.
5. Vulnerability Management
- Regular automated vulnerability scans of infrastructure and application environments.
- Annual third-party penetration testing of production systems.
- Continuous monitoring of threat intelligence and security advisories.
Vulnerabilities are triaged and remediated according to the following targets:
| Critical severity | Remediated within 24 hours of identification. |
| High severity | Remediated within 7 days of identification. |
| Medium severity | Remediated within 30 days or mitigated with compensating controls. |
| Low severity | Addressed in scheduled release cycles. |
6. Employee Security
- All employees undergo background screening prior to hire.
- All employees complete annual security awareness training.
- Access to customer data is restricted to employees who require it for their specific job functions.
- Personnel handling sensitive data are subject to additional role-specific security requirements.
- Security policies and acceptable use requirements are communicated to all staff and contractors.
7. Infrastructure Security
- Physical security controls at all data center locations.
- Network segmentation and firewall rules to limit lateral movement.
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS).
- Continuous monitoring and centralized security logging (SIEM).
- Distributed denial-of-service (DDoS) protection.
- Regular configuration audits against security baselines.
8. Reporting a Security Concern
Company: QEngine LLC, dba INZATA
Address: PO Box 90762, Lakeland, FL 33804-0762
Email: [email protected]