Security Policy

CtrlOne.Online ("CtrlOne", "Company", "we", "our", or "us") is committed to maintaining the highest standards of information security, cybersecurity, operational resilience, and customer trust. This Security Policy explains the administrative, technical, and physical safeguards implemented to protect customer information, endpoint devices, cloud infrastructure, administrative systems, licensing systems, customer accounts, audit records, software source code, and intellectual property. Security is designed into every component of CtrlOne's architecture and development lifecycle. Effective Date: July 14, 2026. Version: 1.0.

Last updated: July 14, 2026

2. Purpose

The purpose of this Security Policy is to:

  • Protect customer information
  • Prevent unauthorized access
  • Reduce cybersecurity risks
  • Ensure confidentiality
  • Ensure integrity
  • Ensure availability
  • Maintain operational continuity
  • Support regulatory compliance
  • Protect software licensing
  • Secure endpoint communications

3. Scope

This policy applies to:

  • CtrlOne Cloud Platform
  • Admin Console
  • Endpoint Agent
  • Licensing Servers
  • Customer Portal
  • Company Website
  • APIs
  • Databases
  • Employees
  • Contractors
  • Vendors
  • Third-party service providers

4. Security Principles

CtrlOne follows these core principles:

  • Least Privilege
  • Need-to-Know Access
  • Defense in Depth
  • Zero Trust Architecture
  • Secure by Default
  • Privacy by Design
  • Secure Software Development Lifecycle (SSDLC)
  • Continuous Monitoring
  • Risk-Based Security

5. Infrastructure Security

Our infrastructure is protected using multiple security layers including:

  • Firewalls
  • DDoS protection
  • Web Application Firewall (WAF)
  • Network segmentation
  • Private networking where applicable
  • Intrusion detection
  • Intrusion prevention
  • Continuous monitoring
  • Automated security alerts
  • Server hardening
  • Secure operating system configurations

6. Secure Communication

All communications between the Admin Console, Endpoint Agents, Licensing Servers, Customer Portal, and APIs are encrypted using industry-standard cryptographic protocols. Security controls include:

  • HTTPS
  • TLS 1.2 or TLS 1.3
  • Strong cipher suites
  • Certificate validation
  • HSTS
  • Secure API authentication
  • Session encryption

7. Data Encryption

Data in Transit — all network traffic is encrypted. Examples include login requests, policy synchronization, device registration, licensing, and administrative operations.

Data at Rest — sensitive data stored within CtrlOne infrastructure is protected using strong encryption technologies where appropriate. Protected information may include:

  • Customer account information
  • Licensing information
  • Audit logs
  • Configuration data
  • Administrative settings

8. Authentication Security

Administrative access requires secure authentication. Security measures include:

  • Strong password policies
  • Password hashing
  • Account lockout after repeated failures
  • Session expiration
  • Automatic logout
  • Secure cookie settings
  • Multi-factor authentication (where available)
  • Login activity monitoring

9. Role-Based Access Control (RBAC)

Access is granted according to job responsibilities. Users receive only the permissions necessary to perform their duties. Roles may include:

  • Super Administrator
  • Organization Administrator
  • Technician
  • Auditor
  • Support Engineer
  • Read-Only User

10. Endpoint Security

The CtrlOne Agent is designed to help enforce organizational policies on managed Windows devices. These capabilities assist organizations in reducing unauthorized changes while allowing administrators to manage devices centrally. Security capabilities may include:

  • Windows restriction policies
  • USB device controls
  • Browser controls
  • Application restrictions
  • Registry protection
  • Group Policy enforcement
  • Scheduled restrictions
  • Policy synchronization
  • Tamper resistance
  • Offline policy enforcement
  • Audit logging

11. Tamper Protection

The CtrlOne Agent includes mechanisms intended to help protect against unauthorized modification. These protections may include:

  • Service protection
  • Registry protection
  • Configuration integrity verification
  • Policy validation
  • Controlled uninstall procedures
  • License verification
  • Secure update validation

12. Secure Software Development

CtrlOne follows secure software engineering practices including:

  • Secure coding standards
  • Code reviews
  • Static analysis
  • Dependency management
  • Vulnerability remediation
  • Version control
  • Build verification
  • Release validation
  • Secure deployment

13. Vulnerability Management

We continuously evaluate our platform for security weaknesses. Critical vulnerabilities are prioritized for remediation based on severity and operational impact. Activities include:

  • Security testing
  • Vulnerability scanning
  • Dependency analysis
  • Security patching
  • Operating system updates
  • Third-party library monitoring
  • Security reviews

14. Patch Management

Security updates are applied according to risk. Emergency security updates may be deployed immediately. Update categories include:

  • Critical
  • High
  • Medium
  • Low

15. Logging and Monitoring

Security events are logged where appropriate. Logs are monitored to identify suspicious activity and support investigations. Examples include:

  • Login attempts
  • Failed logins
  • Administrative actions
  • Policy changes
  • Device registrations
  • License activations
  • Agent communications
  • Configuration changes
  • Security alerts

16. Audit Trails

CtrlOne maintains audit records for significant administrative activities. Audit records support operational accountability and compliance. Audit information may include:

  • User identity
  • Timestamp
  • Action performed
  • Device affected
  • Previous configuration
  • Updated configuration

17. Incident Response

CtrlOne maintains an incident response process designed to:

  • Detect security events
  • Assess impact
  • Contain incidents
  • Investigate root causes
  • Restore services
  • Notify affected customers where legally required
  • Implement corrective actions
  • Improve preventive controls

18. Data Backup

Critical business data is backed up regularly. Backup procedures include:

  • Automated backups
  • Redundant storage
  • Backup integrity verification
  • Disaster recovery planning
  • Recovery testing

19. Disaster Recovery

CtrlOne maintains disaster recovery procedures intended to support service restoration following significant operational disruptions. Recovery plans are periodically reviewed and tested.

20. Physical Security

Infrastructure providers implement physical safeguards such as:

  • Access control
  • CCTV
  • Biometric access
  • Environmental monitoring
  • Fire protection
  • Power redundancy
  • Climate control

21. Employee Security

Employees receive security awareness training covering the topics below. Access is granted based on business need and revoked promptly when employment or responsibilities change.

  • Password hygiene
  • Phishing prevention
  • Secure handling of customer information
  • Incident reporting
  • Social engineering
  • Secure remote work

22. Vendor Security

Third-party vendors that process or access company information are evaluated for appropriate security practices before engagement, where applicable.

23. Customer Responsibilities

Customers are responsible for:

  • Protecting administrator credentials
  • Using strong passwords
  • Enabling MFA where available
  • Keeping endpoint operating systems updated
  • Securing local administrator accounts
  • Restricting unauthorized access
  • Maintaining secure network environments

24. Secure API Usage

APIs should be accessed only through authenticated channels. Customers must:

  • Protect API credentials
  • Rotate credentials periodically
  • Avoid embedding secrets in client-side code
  • Report suspected credential compromise immediately

25. Responsible Disclosure

Researchers who identify potential security vulnerabilities are encouraged to report them responsibly. Good-faith reports will be investigated promptly. Reports should include:

  • Description
  • Reproduction steps
  • Impact
  • Supporting evidence

26. Compliance

CtrlOne designs its security program with reference to recognized frameworks and applicable legal requirements, including:

Where the website states "control alignment," it refers to mapping of controls and evidence rather than certification unless explicitly announced.

  • Information Technology Act, 2000 (India)
  • Digital Personal Data Protection Act, 2023 (India)
  • ISO/IEC 27001 Information Security Management (control alignment)
  • SOC 2 Security Trust Services Criteria (control alignment)
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls

27. Security Limitations

No software, cloud platform, or security system can guarantee absolute protection. CtrlOne continually works to improve security but cannot guarantee prevention of every security incident. Customers acknowledge that:

  • Cyber threats continuously evolve
  • Zero-day vulnerabilities may exist
  • Internet communications inherently involve risk
  • Third-party services may experience outages or compromises

28. Reporting Security Issues

Security vulnerabilities should be reported confidentially. We request that researchers avoid public disclosure until the issue has been investigated and addressed. Please include:

  • Description
  • Affected component
  • Steps to reproduce
  • Proof of concept (if available)
  • Contact information

29. Policy Updates

This Security Policy may be updated periodically to reflect changes in technology, security practices, regulatory requirements, industry standards, or business operations. The latest version will always be published on the CtrlOne website.

30. Contact

CtrlOne Security Team — for security matters, incident reporting, or vulnerability disclosure:

  • Email: security@ctrlone.online
  • Website: https://ctrlone.online/
  • Company: UQuick Technologies India Limited