Cybersecurity & Data Protection Policy

XGRC® Cybersecurity & Data Protection Policy

Strategix Application Solutions (Pty) Ltd
Version: 2.0 | Last updated: 13 April 2026 | Effective: 30 April 2026
Reference: XGRC-SEC-002

This policy is incorporated into the XGRC® SaaS Agreement by reference (in part) and documents Strategix’s security controls and data protection approach.

1. Security Governance

Strategix maintains an information security management programme aligned to ISO 27001:2022 and generally accepted industry practices. Our programme includes documented policies, defined roles and responsibilities, regular risk assessments, and ongoing monitoring and improvement.

2. Platform Security

The XGRC® platform applies layered security controls including:

Access Control Role-based access management, principle of least privilege, and multi-factor authentication for administrative access.
Logical Segregation Multi-tenant architecture with strict data isolation between customers.
Encryption Data encrypted in transit (TLS 1.2+) and at rest using industry-standard algorithms.
Monitoring and Logging Security event monitoring, audit logging, and alerting.
Vulnerability Management Regular vulnerability scanning, patch management, and penetration testing.
Change Management Documented change control processes for all platform changes.

3. Operational Resilience

Strategix maintains business continuity and disaster recovery capabilities appropriate to the XGRC® platform service model, including:

Regular data backups with tested recovery procedures;
Documented incident response procedures; and
Capacity management and performance monitoring.

4. Data Protection

Strategix supports customer compliance by:

Applying appropriate safeguards to Personal Information processed in connection with the Service;
Operating under the customer’s documented instructions in accordance with the Data Processing Addendum; and
Maintaining ISO 27001:2022 certification as evidence of our security posture.

5. Security Incidents

Confirmed security incidents affecting customer Personal Information are handled through documented response procedures and notified to affected customers in accordance with the Data Processing Addendum and applicable law.

6. Independent Assurance

Strategix maintains ISO 27001:2022 certification. On reasonable written request, Strategix will provide relevant certifications, audit summaries, or control statements, subject to confidentiality and security controls. On-site audits are not available as a standard offering; refer to the Data Processing Addendum for the applicable audit framework.