DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

Legal

Security

Last updated May 2026

Security is core to a consent platform. This page summarizes how ConsentX protects the data you trust us with. To report a vulnerability, see the disclosure section below.

Encryption

Data is encrypted in transit with TLS, and data at rest is encrypted using the storage-layer encryption of our cloud provider.

Access control

Access to production systems is restricted on a least-privilege basis and protected with multi-factor authentication. Customer accounts support single sign-on and TOTP multi-factor authentication.

Tamper-evident consent evidence

Consent records are bound into a per-record SHA-256 hash chain. Any change to a record breaks the chain and is detectable, so your audit evidence is provable rather than merely stored.

Network security

Our edge is protected by Cloudflare, including a web application firewall and DDoS mitigation. Origin access is locked down to our infrastructure.

Data residency

The ConsentX application is hosted on Amazon Web Services. Customer data location follows the configured region. See our subprocessors for the providers we use.

Certifications, documentation and data protection

The controls below are true of the product today. For documentation, contact us and we will share what your review needs.

  • Tamper-evident consent evidence. Every consent record is bound into a per-record SHA-256 hash chain. You can verify integrity with a single command, so evidence is provable rather than merely stored.
  • Signed DPA available on request. A data processing agreement is available so your legal team has the contract it needs.
  • Public subprocessor list. We publish the providers in our supply chain. See the current list on our subprocessors page.
  • Encryption in transit and at rest. TLS in transit and storage-layer encryption at rest.
  • Least-privilege access. Access to production is restricted on a least-privilege basis and protected with multi-factor authentication.
  • Hosted on AWS behind Cloudflare. The application runs on Amazon Web Services with a Cloudflare web application firewall and DDoS mitigation at the edge.

Independent certifications: contact us for our current attestations and roadmap.

Request our security package (DPA, subprocessor list, security overview).

Responsible disclosure

If you believe you have found a security issue, please contact us at security@consentx.io. Our machine-readable policy is published at /.well-known/security.txt. We appreciate coordinated disclosure and will work with you to confirm and resolve valid reports.

Report a vulnerability

Email security@consentx.io with steps to reproduce. Please do not disclose publicly until we have confirmed a fix.