Information Security
How we protect your data and ours.
Our position
As a cybersecurity consulting firm, we hold ourselves to the same standards we advise our clients to meet. We practice what we recommend.
Data protection
- Encryption: All data in transit is encrypted via TLS 1.2+. Client data at rest is encrypted using AES-256.
- Access control: Multi-factor authentication is enforced on all internal systems. Access to client data is restricted to engagement team members on a need-to-know basis.
- Device security: All Tenodex devices run endpoint detection and response (EDR), are encrypted at rest, and are centrally managed.
- Email security: SPF, DKIM and DMARC are enforced on all Tenodex email domains.
Client data handling
- Client data is stored in dedicated, access-controlled environments
- Data is retained only for the duration required by the engagement and applicable law
- Data is securely deleted at the conclusion of retention periods
- We do not share client data with third parties unless specifically authorised in writing
Incident response
We maintain our own incident response plan, tested through regular tabletop exercises. If we identify a security event affecting client data, we will notify affected clients within 72 hours in accordance with the Notifiable Data Breaches scheme.
Vulnerability disclosure
If you discover a security vulnerability on tenodex.com, please report it to info@tenodex.com. We will acknowledge receipt within 2 business days and work to resolve confirmed vulnerabilities promptly. See our security.txt for more information.