Documented. Tested. Operating.

Policy framework

Cylentrix maintains a layered policy stack — corporate policies at the top, operational standards below, and runbooks at the operating layer. Every policy has a named owner, a review cadence, and an exception register. Policies are version-controlled and acknowledged by every Cylentrix engineer at hire and annually thereafter.

Core policies

• Information Security Policy — corporate-level commitment, scope, governance, executive accountability.
• Acceptable Use Policy — workforce expectations on Cylentrix systems and client environments.
• Access Control Policy — identity, authentication, privileged access, just-in-time access.
• Cryptography Policy — encryption standards, key management, certificate lifecycle.
• Change Management Policy — change-advisory process, approval gates, emergency change protocol.
• Incident Response Policy — incident classification, escalation, communication, post-incident review.
• Business Continuity Policy — BCP/DR scope, RTO/RPO, testing cadence.
• Vendor Risk Policy — third-party assessment, ongoing monitoring, exit management.
• Data Classification Policy — public, internal, confidential, restricted handling rules.
• Data Retention Policy — retention schedules, secure disposal, regulatory exceptions.
• Privacy Policy — data subject rights, lawful processing, international transfer.

Requesting a policy

Detailed policies are shared with clients and prospective clients under NDA. To request a policy pack, contact our trust office at trust@cylentrix.com with your organisation, intended use, and scope of interest.

Reporting a vulnerability

Cylentrix operates a coordinated vulnerability disclosure programme. Researchers may report vulnerabilities to security@cylentrix.com. We commit to acknowledgement within 48 hours, an initial response within 5 business days, and good-faith handling of valid reports.