Security Policy
CtrlOne.Online ("CtrlOne", "Company", "we", "our", or "us") is committed to maintaining the highest standards of information security, cybersecurity, operational resilience, and customer trust. This Security Policy explains the administrative, technical, and physical safeguards implemented to protect customer information, endpoint devices, cloud infrastructure, administrative systems, licensing systems, customer accounts, audit records, software source code, and intellectual property. Security is designed into every component of CtrlOne's architecture and development lifecycle. Effective Date: July 14, 2026. Version: 1.0.
Last updated: July 14, 2026
2. Purpose
The purpose of this Security Policy is to:
- Protect customer information
- Prevent unauthorized access
- Reduce cybersecurity risks
- Ensure confidentiality
- Ensure integrity
- Ensure availability
- Maintain operational continuity
- Support regulatory compliance
- Protect software licensing
- Secure endpoint communications
3. Scope
This policy applies to:
- CtrlOne Cloud Platform
- Admin Console
- Endpoint Agent
- Licensing Servers
- Customer Portal
- Company Website
- APIs
- Databases
- Employees
- Contractors
- Vendors
- Third-party service providers
4. Security Principles
CtrlOne follows these core principles:
- Least Privilege
- Need-to-Know Access
- Defense in Depth
- Zero Trust Architecture
- Secure by Default
- Privacy by Design
- Secure Software Development Lifecycle (SSDLC)
- Continuous Monitoring
- Risk-Based Security
5. Infrastructure Security
Our infrastructure is protected using multiple security layers including:
- Firewalls
- DDoS protection
- Web Application Firewall (WAF)
- Network segmentation
- Private networking where applicable
- Intrusion detection
- Intrusion prevention
- Continuous monitoring
- Automated security alerts
- Server hardening
- Secure operating system configurations
6. Secure Communication
All communications between the Admin Console, Endpoint Agents, Licensing Servers, Customer Portal, and APIs are encrypted using industry-standard cryptographic protocols. Security controls include:
- HTTPS
- TLS 1.2 or TLS 1.3
- Strong cipher suites
- Certificate validation
- HSTS
- Secure API authentication
- Session encryption
7. Data Encryption
Data in Transit — all network traffic is encrypted. Examples include login requests, policy synchronization, device registration, licensing, and administrative operations.
Data at Rest — sensitive data stored within CtrlOne infrastructure is protected using strong encryption technologies where appropriate. Protected information may include:
- Customer account information
- Licensing information
- Audit logs
- Configuration data
- Administrative settings
8. Authentication Security
Administrative access requires secure authentication. Security measures include:
- Strong password policies
- Password hashing
- Account lockout after repeated failures
- Session expiration
- Automatic logout
- Secure cookie settings
- Multi-factor authentication (where available)
- Login activity monitoring
9. Role-Based Access Control (RBAC)
Access is granted according to job responsibilities. Users receive only the permissions necessary to perform their duties. Roles may include:
- Super Administrator
- Organization Administrator
- Technician
- Auditor
- Support Engineer
- Read-Only User
10. Endpoint Security
The CtrlOne Agent is designed to help enforce organizational policies on managed Windows devices. These capabilities assist organizations in reducing unauthorized changes while allowing administrators to manage devices centrally. Security capabilities may include:
- Windows restriction policies
- USB device controls
- Browser controls
- Application restrictions
- Registry protection
- Group Policy enforcement
- Scheduled restrictions
- Policy synchronization
- Tamper resistance
- Offline policy enforcement
- Audit logging
11. Tamper Protection
The CtrlOne Agent includes mechanisms intended to help protect against unauthorized modification. These protections may include:
- Service protection
- Registry protection
- Configuration integrity verification
- Policy validation
- Controlled uninstall procedures
- License verification
- Secure update validation
12. Secure Software Development
CtrlOne follows secure software engineering practices including:
- Secure coding standards
- Code reviews
- Static analysis
- Dependency management
- Vulnerability remediation
- Version control
- Build verification
- Release validation
- Secure deployment
13. Vulnerability Management
We continuously evaluate our platform for security weaknesses. Critical vulnerabilities are prioritized for remediation based on severity and operational impact. Activities include:
- Security testing
- Vulnerability scanning
- Dependency analysis
- Security patching
- Operating system updates
- Third-party library monitoring
- Security reviews
14. Patch Management
Security updates are applied according to risk. Emergency security updates may be deployed immediately. Update categories include:
- Critical
- High
- Medium
- Low
15. Logging and Monitoring
Security events are logged where appropriate. Logs are monitored to identify suspicious activity and support investigations. Examples include:
- Login attempts
- Failed logins
- Administrative actions
- Policy changes
- Device registrations
- License activations
- Agent communications
- Configuration changes
- Security alerts
16. Audit Trails
CtrlOne maintains audit records for significant administrative activities. Audit records support operational accountability and compliance. Audit information may include:
- User identity
- Timestamp
- Action performed
- Device affected
- Previous configuration
- Updated configuration
17. Incident Response
CtrlOne maintains an incident response process designed to:
- Detect security events
- Assess impact
- Contain incidents
- Investigate root causes
- Restore services
- Notify affected customers where legally required
- Implement corrective actions
- Improve preventive controls
18. Data Backup
Critical business data is backed up regularly. Backup procedures include:
- Automated backups
- Redundant storage
- Backup integrity verification
- Disaster recovery planning
- Recovery testing
19. Disaster Recovery
CtrlOne maintains disaster recovery procedures intended to support service restoration following significant operational disruptions. Recovery plans are periodically reviewed and tested.
20. Physical Security
Infrastructure providers implement physical safeguards such as:
- Access control
- CCTV
- Biometric access
- Environmental monitoring
- Fire protection
- Power redundancy
- Climate control
21. Employee Security
Employees receive security awareness training covering the topics below. Access is granted based on business need and revoked promptly when employment or responsibilities change.
- Password hygiene
- Phishing prevention
- Secure handling of customer information
- Incident reporting
- Social engineering
- Secure remote work
22. Vendor Security
Third-party vendors that process or access company information are evaluated for appropriate security practices before engagement, where applicable.
23. Customer Responsibilities
Customers are responsible for:
- Protecting administrator credentials
- Using strong passwords
- Enabling MFA where available
- Keeping endpoint operating systems updated
- Securing local administrator accounts
- Restricting unauthorized access
- Maintaining secure network environments
24. Secure API Usage
APIs should be accessed only through authenticated channels. Customers must:
- Protect API credentials
- Rotate credentials periodically
- Avoid embedding secrets in client-side code
- Report suspected credential compromise immediately
25. Responsible Disclosure
Researchers who identify potential security vulnerabilities are encouraged to report them responsibly. Good-faith reports will be investigated promptly. Reports should include:
- Description
- Reproduction steps
- Impact
- Supporting evidence
26. Compliance
CtrlOne designs its security program with reference to recognized frameworks and applicable legal requirements, including:
Where the website states "control alignment," it refers to mapping of controls and evidence rather than certification unless explicitly announced.
- Information Technology Act, 2000 (India)
- Digital Personal Data Protection Act, 2023 (India)
- ISO/IEC 27001 Information Security Management (control alignment)
- SOC 2 Security Trust Services Criteria (control alignment)
- NIST Cybersecurity Framework
- CIS Critical Security Controls
27. Security Limitations
No software, cloud platform, or security system can guarantee absolute protection. CtrlOne continually works to improve security but cannot guarantee prevention of every security incident. Customers acknowledge that:
- Cyber threats continuously evolve
- Zero-day vulnerabilities may exist
- Internet communications inherently involve risk
- Third-party services may experience outages or compromises
28. Reporting Security Issues
Security vulnerabilities should be reported confidentially. We request that researchers avoid public disclosure until the issue has been investigated and addressed. Please include:
- Description
- Affected component
- Steps to reproduce
- Proof of concept (if available)
- Contact information
29. Policy Updates
This Security Policy may be updated periodically to reflect changes in technology, security practices, regulatory requirements, industry standards, or business operations. The latest version will always be published on the CtrlOne website.
30. Contact
CtrlOne Security Team — for security matters, incident reporting, or vulnerability disclosure:
- Email: security@ctrlone.online
- Website: https://ctrlone.online/
- Company: UQuick Technologies India Limited