Skip to content

Security Overview

Last updated: February 18, 2026

This page outlines the high-level security posture of Cybexo CMP. Cybexo implements layered technical and organizational security controls designed to protect customer data, consent signals, and platform integrity.

  • HTTPS enforced for all CMP, API, and asset delivery endpoints.
  • Minimum TLS version: TLS 1.2 (TLS 1.3 preferred where supported).
  • HSTS enabled on production domains to prevent downgrade attacks.
  • Production traffic is routed through managed, globally distributed delivery infrastructure with standard threat protection controls.
  • No HTTP endpoints are exposed for public production services.
  • Encryption in transit: enabled using TLS 1.2+.
  • Encryption at rest: enabled for production data stores managed by infrastructure providers.
  • Key management: encryption keys are managed by the underlying cloud infrastructure provider using provider-managed key services.
  • No plaintext consent data is stored outside secured infrastructure boundaries.
  • Cybexo does not store personal identifiers; only pseudonymous consent state tokens are processed.
  • Role-based access control (RBAC) enforced for administrative systems.
  • Production access follows a least-privilege model.
  • Multi-factor authentication (MFA) required for privileged administrative access.
  • Administrative actions are logged for audit purposes.
  • Access to production systems is restricted to authorized personnel only.
  • Security-relevant events (authentication, configuration changes, deployment actions) are logged.
  • Infrastructure monitoring and alerting are configured for service availability and anomalous activity.
  • Alerts are reviewed by designated technical personnel.
  • Audit logs are retained according to internal operational policy.
  • Regular dependency updates are performed to address security patches.
  • Automated dependency scanning is performed during development workflows.
  • Infrastructure components are updated according to a rolling patch schedule.
  • Critical security patches are prioritized and deployed without undue delay.
  • External penetration testing may be conducted periodically, subject to internal scheduling and scope.
  • Cybexo maintains an internal incident intake and triage process.
  • Security incidents are classified based on severity and impact.
  • Customers are notified of material security incidents affecting their data without unreasonable delay, in accordance with contractual obligations.
  • Post-incident reviews are conducted to identify root cause and remediation actions.
  • Cybexo implements logical tenant isolation within application architecture.
  • Production and non-production environments are separated.
  • Staging and development systems do not process live production consent data unless explicitly configured for testing.
  • Customer data is not commingled across tenant boundaries.
  • Security disclosure channel: security@cybexo.com
  • Vulnerability reports are reviewed and triaged by the technical team.
  • For customer-impacting issues, escalation procedures are defined in the Support and Escalation page.