Customer Security Statement

At RSA Tech Group, security is foundational to everything we build. We understand that our enterprise clients entrust us with critical business data and operations, and we take that responsibility seriously.

Our security program is designed to protect the confidentiality, integrity, and availability of customer data across all our subsidiaries — including Connexr, LeoRix AI, Postwyse, PromptOps, TradersHub, and FoundersHub.ai.

Our security practices are aligned with and certified under the following industry standards:

• SOC 2 Type II: We undergo annual SOC 2 audits to validate our controls for security, availability, processing integrity, confidentiality, and privacy.
• HIPAA: We maintain full HIPAA compliance for our healthcare clients, including Business Associate Agreements (BAAs) and appropriate administrative, physical, and technical safeguards.
• ISO 27001: Our information security management system (ISMS) is aligned with ISO 27001 standards, providing a systematic approach to managing sensitive information.
• GDPR: We comply with the General Data Protection Regulation for all personal data processing activities involving EU residents.

We implement comprehensive data protection measures including:

• Encryption at Rest: All customer data is encrypted at rest using AES-256 encryption.
• Encryption in Transit: All data in transit is protected using TLS 1.2 or higher.
• Data Classification: We classify data based on sensitivity and apply appropriate handling procedures for each classification level.
• Data Retention: We retain customer data only for as long as necessary to provide services and comply with legal obligations, with automated purging mechanisms.
• Backup & Recovery: Automated, encrypted backups with regular disaster recovery testing ensure business continuity.

Our infrastructure is designed with defense-in-depth principles:

• Cloud infrastructure hosted on SOC 2 and ISO 27001 certified providers (AWS, Azure, GCP).
• Network segmentation and firewalls to isolate customer environments.
• Continuous vulnerability scanning and penetration testing performed by third-party security firms.
• 24/7 monitoring via our Security Operations Center (SOC) with automated threat detection and response.
• Regular patching and update cycles with zero-day response procedures.

We enforce strict access control policies to ensure only authorized personnel can access customer data:

• Role-based access control (RBAC) with the principle of least privilege.
• Multi-factor authentication (MFA) required for all system access.
• Regular access reviews and automatic deprovisioning upon role changes or termination.
• Comprehensive audit logging of all access events with tamper-evident storage.
• Background checks for all employees with access to customer data.

RSA Tech Group maintains a formal Incident Response Plan that is tested and updated regularly. In the event of a security incident:

• Affected customers are notified within 72 hours of confirmed incidents, in compliance with applicable regulations.
• A dedicated incident response team coordinates containment, eradication, and recovery.
• Post-incident reviews are conducted to identify root causes and implement preventive measures.
• Detailed incident reports are made available to affected customers upon request.

We hold our vendors and subprocessors to the same high security standards we maintain internally. Our vendor management program includes:

• Security assessments and due diligence before onboarding any third-party vendor.
• Contractual security and privacy requirements, including data processing agreements.
• Ongoing monitoring and periodic reassessment of vendor security postures.
• A maintained list of subprocessors available to customers upon request.

Our compliance program is managed through Drata and covers:

• SOC 2 Type II certification with annual audits.
• HIPAA compliance with annual risk assessments.
• ISO 27001 alignment with plans for formal certification.
• GDPR compliance including Data Protection Impact Assessments (DPIAs).
• CCPA compliance for California residents.

Copies of our SOC 2 report and other compliance documentation are available to customers and prospects under NDA upon request.