All policies

Security Policy

Effective March 1, 2026

This Security Policy ("Policy") describes the technical and organisational security measures implemented by Subduxion B.V. ("Subduxion", "we", or "our") to protect the confidentiality, integrity, and availability of the Blake platform and all data processed through it (the "Services").

Subduxion maintains a comprehensive information security programme designed to comply with Article 32 of Regulation (EU) 2016/679 (GDPR), the ISO/IEC 27001 framework, and industry best practices for cloud-native SaaS platforms.

1. Security Governance

1.1 Organisation

Security governance at Subduxion is embedded at the executive level. Responsibility for information security is assigned to designated management, with operational support from engineering and compliance functions. Security policies, standards, and procedures are reviewed and approved by management at least annually.

1.2 Security Programme

Subduxion maintains a written information security programme that includes:

  • Risk assessment and risk treatment procedures, conducted at least annually and upon material changes to the Services.
  • Documented security policies covering access control, cryptography, operations security, communications security, and incident management.
  • Defined roles and responsibilities for information security across the organisation.
  • Continuous improvement based on security incidents, audit findings, and changes in the threat landscape.

1.3 Personnel Security

All personnel with access to production systems or customer data are subject to:

  • Background verification appropriate to the role and applicable law.
  • Binding confidentiality obligations, either through employment contracts or dedicated non-disclosure agreements.
  • Mandatory security awareness training upon onboarding and at regular intervals thereafter.
  • Defined access revocation procedures upon role change or termination.

2. Infrastructure Security

2.1 Hosting Environment

The Services are hosted on infrastructure provided by established cloud platform providers that maintain recognised certifications including SOC 2 Type II, ISO 27001, and PCI DSS Level 1. Physical security of data centre facilities, including environmental controls, access restrictions, and surveillance, is the responsibility of the infrastructure provider and is subject to contractual assurances and regular audit by the provider.

2.2 Network Security

Subduxion implements layered network security controls, including:

  • Network segmentation to isolate production, staging, and development environments.
  • Web application firewall (WAF) and distributed denial-of-service (DDoS) mitigation at the network edge.
  • Intrusion detection and prevention capabilities with continuous monitoring.
  • Restrictive network access policies with deny-by-default posture.

2.3 Data Segregation

Customer data is logically segregated within the Services. Access controls enforce tenant isolation at the application, database, and API layers. Cross-tenant data access is architecturally prevented through scoped access patterns enforced at every layer of the application stack.

3. Data Protection

3.1 Encryption

  • In Transit: All data transmitted between clients and the Services, and between internal service components, is encrypted using TLS 1.2 or higher. Internal service-to-service communications use mutually authenticated encrypted channels.
  • At Rest: All persistent data stores are encrypted using AES-256 or equivalent algorithms. Encryption keys are managed through dedicated key management infrastructure with separation of duties.

3.2 Access Controls

  • Role-based access control (RBAC) is enforced at all layers of the Services.
  • Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis.
  • Multi-factor authentication (MFA) is required for all administrative and production system access.
  • Access rights are reviewed periodically and upon any change of role or responsibility.
  • Privileged access is logged and subject to review.

3.3 Data Backup and Recovery

  • Automated backups are performed at regular intervals with point-in-time recovery capability.
  • Backup data is encrypted and stored in geographically separate locations.
  • Backup restoration procedures are tested periodically to verify integrity and recovery time objectives.

4. Application Security

4.1 Secure Development

Subduxion follows a secure software development lifecycle (SSDLC) that includes:

  • Security requirements analysis during the design phase.
  • Mandatory code review for all changes to production systems.
  • Automated static application security testing (SAST) integrated into the development pipeline.
  • Dependency scanning for known vulnerabilities in third-party components.
  • Separation of development, testing, and production environments.

4.2 Vulnerability Management

  • Automated vulnerability scanning is performed on a continuous basis across all production systems.
  • Identified vulnerabilities are triaged based on severity and exploitability, with defined remediation timelines: critical (24 hours), high (72 hours), medium (30 days), low (90 days).
  • External penetration testing is conducted at least annually by qualified independent assessors. Material findings are remediated and verified prior to the next assessment cycle.

5. Monitoring and Logging

  • Security-relevant events are logged centrally, including authentication events, access to customer data, administrative actions, and system changes.
  • Logs are retained for a minimum of 12 months in tamper-resistant storage.
  • Anomaly detection and alerting are implemented for security-critical events.
  • Log data is available for forensic analysis in the event of a security incident.

6. Incident Response

6.1 Incident Response Plan

Subduxion maintains a documented incident response plan that defines:

  • Classification criteria for security incidents based on severity and impact.
  • Roles and responsibilities for incident response, including designated incident commanders.
  • Escalation procedures and communication protocols.
  • Containment, investigation, eradication, and recovery procedures.
  • Post-incident review and lessons-learned processes.

6.2 Notification

In the event of a confirmed security incident affecting customer data, Subduxion will notify affected customers without undue delay and in any event within 48 hours, in accordance with the Data Processing Agreement. Notifications will include a description of the incident, the data affected, the measures taken, and recommended actions for the customer.

7. Business Continuity

  • Subduxion maintains business continuity and disaster recovery procedures designed to ensure the availability and resilience of the Services.
  • Recovery objectives are defined and tested periodically.
  • The Services are designed with redundancy at the infrastructure, application, and data layers to minimise the impact of component failures.

8. Responsible Disclosure

Subduxion welcomes responsible disclosure of security vulnerabilities by external researchers. If you have identified a potential vulnerability in the Services, please report it to:

Email: security@subduxion.com

When reporting, please include:

  • A detailed description of the vulnerability, including steps to reproduce.
  • The potential impact and any supporting evidence.
  • Your contact information for follow-up.

Subduxion commits to:

  • Acknowledging receipt of your report within 2 business days.
  • Providing an initial assessment within 10 business days.
  • Keeping you informed of the remediation progress.
  • Not pursuing legal action against researchers who report in good faith and in accordance with this disclosure policy.
  • Recognising your contribution upon request, subject to mutual agreement.

We request that researchers do not publicly disclose vulnerabilities prior to remediation and that testing does not degrade the Services for other users, access data belonging to other customers, or involve social engineering, physical access, or denial-of-service techniques.

9. Certifications and Compliance

Subduxion is committed to achieving and maintaining security certifications appropriate to the nature and scale of the Services. Our current and planned certifications include:

StandardStatus
SOC 2 Type IIPlanned
ISO/IEC 27001Planned
ISO/IEC 42001 (AI Management)Under evaluation
GDPR ComplianceActive
EU AI Act ComplianceActive

10. Review

This Policy is reviewed at least annually and updated to reflect changes in the threat landscape, regulatory requirements, and the security posture of the Services. Material updates will be communicated to customers through the Services or by notice to the primary account contact.

11. Contact

For security inquiries, incident reports, or responsible disclosure submissions:

Subduxion B.V.
Attn: Security
High Tech Campus 5
5656 AE Eindhoven
The Netherlands
Email: security@subduxion.com

Blake

Sales is not a department. It's the oxygen of your company.

Without sales you don't have a business. You have a hobby. And hobbies don't pay salaries.