1. Our Security Commitment
At NoteX, security is not an afterthought - it is a core principle embedded in everything we build. We understand that businesses trust us with sensitive client data and communications, and we take that responsibility seriously.
Our security program is designed to protect the confidentiality, integrity, and availability of your data through a defense-in-depth approach combining multiple layers of protection.
🔒
Encryption
AES-256 at rest, TLS 1.3 in transit
🛡️
SOC 2 Type II
Independently audited controls
🌐
99.9% Uptime
Redundant global infrastructure
🔍
Continuous Monitoring
24/7 threat detection & response
2. Infrastructure Security
2.1 Cloud Infrastructure
NoteX is hosted on enterprise-grade cloud infrastructure with the following security measures:
- Data Centers: ISO 27001, SOC 2, and SOC 3 certified facilities
- Geographic Redundancy: Data replicated across multiple availability zones
- Network Isolation: Virtual private clouds with strict firewall rules and network segmentation
- DDoS Protection: Multi-layer DDoS mitigation at network and application layers
- Load Balancing: Automated traffic distribution with health checks and failover
2.2 Network Security
- Web Application Firewall (WAF) filtering malicious traffic
- Intrusion detection and prevention systems (IDS/IPS)
- Network traffic monitoring and anomaly detection
- Rate limiting and bot protection
- IP whitelisting available for enterprise accounts
3. Data Encryption
3.1 Encryption in Transit
All data transmitted between clients, servers, and third-party services is encrypted using:
- TLS 1.3: The latest Transport Layer Security protocol for all HTTPS connections
- Certificate Pinning: Mobile app validates server certificates to prevent man-in-the-middle attacks
- HSTS: HTTP Strict Transport Security enforced to prevent protocol downgrade attacks
- Perfect Forward Secrecy: Each session uses a unique encryption key
3.2 Encryption at Rest
- AES-256: All stored data encrypted using Advanced Encryption Standard with 256-bit keys
- Key Management: Encryption keys managed through a dedicated key management service with automatic rotation
- Database Encryption: Full-disk encryption for all database storage volumes
- Backup Encryption: All backups encrypted with separate keys
4. Application Security
4.1 Secure Development
- Secure SDLC: Security integrated into every phase of the development lifecycle
- Code Reviews: All code changes undergo mandatory peer review with security focus
- Static Analysis: Automated SAST tools scan for vulnerabilities in every build
- Dependency Scanning: Continuous monitoring of third-party libraries for known vulnerabilities
- OWASP Top 10: Development practices address all OWASP Top 10 risks
4.2 Authentication and Access Control
- Password Security: Passwords hashed using bcrypt with appropriate cost factor
- Multi-Factor Authentication: Available for all accounts, required for admin access
- Session Management: Secure session tokens with automatic expiration and revocation
- Role-Based Access Control: Granular permissions based on user roles
- API Key Security: Scoped API keys with configurable permissions and rate limits
4.3 Input Validation
- Server-side validation of all user inputs
- Parameterized queries to prevent SQL injection
- Content Security Policy (CSP) headers to prevent XSS attacks
- CSRF token protection on all state-changing operations
- File upload scanning and type validation
5. Penetration Testing and Audits
We maintain a robust testing program to identify and address vulnerabilities:
- Annual Penetration Testing: Independent third-party penetration tests conducted annually
- Vulnerability Scanning: Automated scans performed weekly across all infrastructure
- SOC 2 Type II Audit: Annual audit of security controls by independent auditors
- Bug Bounty Program: Responsible disclosure program inviting security researchers to identify vulnerabilities
6. Incident Response
We maintain a comprehensive incident response plan:
- Detection: 24/7 automated monitoring with real-time alerting for security anomalies
- Classification: Incidents classified by severity with defined escalation procedures
- Response: Dedicated security team initiates containment within 15 minutes of detection
- Notification: Affected customers notified within 72 hours per GDPR requirements
- Post-Incident: Root cause analysis and remediation for every security incident
- Lessons Learned: Findings incorporated into security improvements
7. Business Continuity
7.1 Disaster Recovery
- RPO (Recovery Point Objective): Less than 1 hour of data loss in worst-case scenarios
- RTO (Recovery Time Objective): Service restoration within 4 hours
- Automated Backups: Database backups every hour with 30-day retention
- Cross-Region Replication: Real-time data replication to geographically separate regions
- DR Testing: Disaster recovery procedures tested quarterly
7.2 High Availability
- Multi-zone deployment with automatic failover
- Auto-scaling to handle traffic spikes
- Health checks with automatic instance replacement
- Global CDN for static asset delivery
8. Employee Security
- Background Checks: All employees undergo background checks before hire
- Security Training: Mandatory security awareness training for all employees
- Least Privilege: Access granted on a need-to-know basis with regular access reviews
- Device Security: Company devices require full-disk encryption, firewalls, and endpoint protection
- Offboarding: Immediate access revocation and account deactivation upon departure
9. Compliance and Certifications
NoteX maintains compliance with the following standards and regulations:
- SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
- GDPR: Full compliance with the EU General Data Protection Regulation
- CCPA: Compliance with the California Consumer Privacy Act
- ISO 27001: Information security management system certification (in progress)
- PCI DSS: Payment card data handled by PCI-compliant payment processors
10. Responsible Disclosure
We value the security research community and welcome reports of potential vulnerabilities. If you discover a security issue:
- Email us at security@notex.io
- Include a detailed description of the vulnerability and steps to reproduce
- Give us reasonable time to investigate and fix the issue before any public disclosure
- Do not access, modify, or delete data belonging to other users
We acknowledge all valid reports and will work with you to resolve issues promptly.
11. Contact
For security-related questions or concerns: