Security & Infrastructure Statement

1. Security Governance

ControlBox maintains internal security policies and operational procedures covering access control, incident management, software change management, and infrastructure protection.

Security responsibilities are assigned to designated personnel across engineering, operations, and compliance functions.

2. Infrastructure Hosting Environment

Complii is deployed on managed cloud infrastructure environments designed for high availability and operational reliability.

Hosting providers are selected based on security posture, reliability, and ability to support compliance requirements.

• segmented production and non-production environments
• redundant compute and storage components
• network-level controls and perimeter protections
• backup and disaster recovery capabilities

3. Security Standards and Framework Alignment

Complii infrastructure and operational controls are designed to align with internationally recognized security practices, including:

• SOC 2 security controls
• ISO 27001 information security principles
• ISO 9001 quality management practices

Alignment with these frameworks supports continuous improvement in risk management and operational assurance.

4. Data Protection Controls

ControlBox implements commercially reasonable safeguards to protect customer data in transit and at rest.

• encryption in transit using TLS
• encryption controls for stored data where applicable
• strict authentication and authorization controls
• role-based access principles for internal users
• audit logging for security-relevant events

5. Identity and Access Management

Access to systems and data is restricted based on least-privilege principles.

• unique user identities for administrative access
• controlled privilege escalation procedures
• periodic access reviews
• prompt access revocation for role changes or offboarding

6. Application Security Practices

The Complii development lifecycle includes controls intended to reduce software security risk.

• code review before production deployment
• dependency and vulnerability monitoring
• controlled release and change management processes
• security hardening of production configurations

7. Monitoring and Incident Response

ControlBox maintains operational monitoring and alerting capabilities to detect service anomalies and potential security events.

Security incidents are handled under incident response procedures that include triage, containment, impact assessment, remediation, and communication as appropriate.

8. Business Continuity and Backups

Complii maintains backup procedures designed to support data durability and service recovery.

• scheduled backup operations
• protected backup storage
• recovery procedures tested on a periodic basis

Recovery objectives may vary by service component and customer deployment characteristics.

9. Third-Party Providers

ControlBox may use third-party service providers for infrastructure, communications, and operational support.

Providers are assessed based on suitability, security capabilities, and contractual commitments related to data protection and service reliability.

10. Customer Shared Responsibilities

Customers are responsible for security measures within their own environments, including:

• maintaining secure credentials and MFA where available
• controlling internal user access and permissions
• protecting API keys and integration secrets
• reviewing account activity and reporting suspicious behavior promptly

11. Limitations

No internet-connected system can guarantee absolute security. ControlBox continuously improves technical and organizational measures but cannot warrant that unauthorized access, disruption, or data compromise will never occur.

12. Contact for Security Matters

Questions regarding this statement or security practices may be directed to: