Information Security

Catylex utilizes enterprise-grade best practices to protect our customers’ data, and works with independent experts to verify its security, privacy, and compliance controls, and has achieved SOC 2 compliance against stringent standards.


SOC 2 Report

We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers' data.

Developed by the Assurance Services Executive Committee (ASEC) of the AICPA, the Trust Services Criteria is the set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems, or the confidentiality or privacy of the information processed by the systems at an entity, a division, or an operating unit of an entity.


Continuous Security Control Monitoring

Catylex uses Drata’s automation platform to continuously monitor 100+ security controls across the organization. Automated alerts and evidence collection allows Catylex to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.


Employee Trainings

Security is a company-wide endeavor. All employees complete an annual security training program and employ best practices when handling customer data.


Penetration Tests

Catylex works with leading security firms to perform annual network and application layer penetration tests.


Secure Software Development

Catylex utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.


Data Encryption

Data is encrypted both in-transit using TLS and at rest.

Responsible Disclosure Policy

Catylex is committed to ensuring the safety and security of our customers. We aim to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

Scope

Catylex’s Responsible Disclosure Policy covers the following products: 

  • Catylex’s core platform

We intend to increase our scope as we build capacity and experience with this process. Researchers who submit a vulnerability report to us will be given full credit once the submission has been accepted and validated by our product security team.

Legal Posture

Catylex will not engage in legal action against individuals who submit vulnerability reports as prescribed below. We openly accept reports for the currently listed Catylex products. We agree not to pursue legal action against individuals who:

  • Engage in testing of systems/research without harming Catylex or its customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program.
  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Adhere to the laws of their location and the location of Catylex. For example, violating laws that would only result in a claim by Catylex (and not a criminal claim) may be acceptable as Catylex is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

How to Submit a Vulnerability

Submit vulnerability reports to Catylex’s Product Security Team by emailing security@catylex.com.  Along with the report, the email must include the following information in the body for Catylex to respond:

  • Name of organization or affiliation (note if unaffiliated)
  • Evidence of your credentials (e.g., website, LinkedIn)
  • Confirmation that your submission is not spam or for the purpose of selling a product or service

Restrictions on External Links and Attachments

For security reasons, Catylex cannot access or open external links, file-sharing URLs, downloadable scripts, executables, or attachments hosted outside the email body. All vulnerability details, including proof-of-concept steps, must be provided directly within the body of the email in plain text. Submissions that rely on external links or require downloading files for validation may be rejected or delayed during triage.

Preference, Prioritization, and Acceptance Criteria

We will use the following criteria to prioritize and triage submissions.

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from Catylex:

  • A timely response to compliant submissions.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, Catylex may bring in a neutral third party to assist in determining how best to handle the vulnerability.

soc-2-with-padding
aicpa-soc-with-padding