Security & Compliance

Effective Date : August 2, 2025

Robust security and regulatory compliance are non-negotiable pillars of every engagement at CodesenSys. We embed best-practice controls—from code commit to production rollout—to safeguard client data, maintain service resilience, and satisfy regional as well as international standards. Below is a concise, bullet-point digest of our Security & Compliance posture.

CodesenSys Security & Compliance — Key Points

1 Holistic Security Framework

  • Aligns with ISO 27001, SOC 2, and NIST CSF principles for governance, risk, and control.
  • Covers people, process, and technology across the full software-development life cycle (SDLC).

2 DevSecOps by Design

  • Automated SCA, SAST, DAST, and container-image scanning integrated into CI/CD pipelines.
  • “Shift-left” security reviews on every pull request; critical findings block merges until resolved.

3 Data Protection & Encryption

  • TLS 1.3 for data in transit; AES-256 or stronger for data at rest.
  • Field-level encryption for especially sensitive records (e.g., PII, cryptographic keys).

4 Access Management

  • Zero-trust model with role-based access control (RBAC) and least-privilege enforcement.
  • MFA required for all privileged accounts; SSH keys rotated on a 90-day schedule.

5 Infrastructure Hardening & Monitoring

  • Hardened OS images (CIS benchmarks) and network micro-segmentation.
  • Real-time threat detection and SIEM alerts reviewed 24 × 7 by our security team.

6 Regulatory Compliance

  • Adheres to GDPR, CCPA, and PDPA where applicable, plus country-specific rules in Pakistan and the United States.
  • Data-processing addendums (DPAs) available upon request.

7 Third-Party & Open-Source Governance

  • All libraries, APIs, and SaaS providers vetted for security posture and compliance certifications.
  • SBOM (Software Bill of Materials) generated per release to track dependencies.

8 Audits & Pen-Tests

  • Quarterly vulnerability scans and annual third-party penetration tests.
  • Remediation timelines: critical ≤ 24 hrs, high ≤ 72 hrs, medium ≤ 14 days.

9 Incident Response & Business Continuity

  • Documented IRP with defined RACI matrix; tabletop exercises held bi-annually.
  • Geo-redundant backups and DR drills targeting RPO ≤ 15 min, RTO ≤ 1 hr.

10 Employee Training & Awareness

  • Mandatory onboarding security training followed by quarterly refreshers.
  • Phishing simulations and secure-coding workshops to cultivate a security-first culture.

11 Continuous Improvement

  • Post-incident “blameless” retrospectives feed into updated playbooks, tooling, and controls.
  • Security KPIs (MTTD, MTTR, patch latency) tracked and reviewed at the executive level.

12 Report a Vulnerability

  • Responsible disclosure is welcomed. Email security@codesensys.com with details; we acknowledge within 24 hrs and provide status updates until closure.