DPDPA is now in force in India. Run a free privacy scan on your site. Scan now

Trust

Security overview, incident response & SLA

How we detect, contain and notify security incidents, and the service commitments behind ConsentX. Factual, with no certification we have not earned.

In short
ConsentX runs a defined incident-response process: detect and triage, contain, notify, eradicate and recover, then review. For a personal data breach we notify affected customers within 48 hours of becoming aware, per our DPA, and support DPDPA notification to the Data Protection Board and affected data principals. We operate to a 99.9% uptime target with a contractual SLA on Enterprise. We do not claim SOC 2 or ISO 27001, which are on our roadmap.

Incident-response process

1. Detect & triage

Monitoring and alerting surface anomalies. On report or alert, we triage severity and scope and open an incident with an owner.

2. Contain

We isolate affected systems, revoke or rotate credentials as needed, and stop the spread before moving to eradication.

3. Notify

For a personal data breach we notify affected customers without undue delay and within 48 hours of becoming aware, per our DPA, and support notification to the Data Protection Board and affected data principals under the DPDPA.

4. Eradicate & recover

We remove the root cause, restore from encrypted backups where needed, and verify integrity before returning to normal operations.

5. Post-incident review

Every significant incident gets a written review with root cause and corrective actions, fed back into controls and monitoring.

Security controls

Encryption

TLS in transit; storage-layer encryption at rest on AWS, including encrypted backups.

Access & network

Least-privilege access with MFA on production; Cloudflare WAF and DDoS mitigation at the edge.

Data residency

Application and consent data hosted on AWS in Mumbai (ap-south-1), India, with intra-region processing by default.

Consent integrity

Consent events are sealed in a SHA-256 hash chain, so records are tamper-evident and verifiable.

Availability & SLA

ConsentX operates to a 99.9% uptime target. A contractual uptime SLA is available on the Enterprise plan. The consent widget is also designed to fail open, so a ConsentX disruption does not block your site.

Responsible disclosure

Found a security issue? Email security@consentx.io. We acknowledge valid reports and work with researchers to resolve them.

SecurityData residencyDPATrust

Security & incident-response questions

How quickly does ConsentX notify customers of a breach?+

For a personal data breach, we notify affected customers without undue delay and within 48 hours of becoming aware, as committed in our Data Processing Agreement.

Does ConsentX have an uptime SLA?+

We operate to a 99.9% uptime target, and a contractual uptime SLA is available on the Enterprise plan. We do not overstate availability we cannot commit to.

Is ConsentX ISO 27001 or SOC 2 certified?+

Not yet. We do not claim either until it is independently verified; both are on our roadmap. See the Security and Trust pages for current status.

How do I report a security issue?+

Email security@consentx.io. We welcome responsible disclosure and will acknowledge and work with you on valid reports.