Security Policy

Vext Audit Capital audits the information security and data protection practices of other organisations. We hold ourselves to the same standard we apply to our clients. This Security Policy describes our security measures with full transparency.

Important qualification: The security controls described in this policy represent the Firm's current standard practice and are reviewed and updated periodically. They do not constitute a warranty or guarantee of absolute security against all threats. No security system is impenetrable. The Firm's liability in the event of a security incident is governed exclusively by the Terms of Service and applicable law.

1. Security governance

• Security responsibility is owned at the principal level
• This policy is reviewed annually and updated on any material change in technology or threat landscape
• A Security Incident Register tracks all security events
• Security obligations are communicated to all personnel before commencement of work

2. Access control

• Least privilege: Each team member accesses only client data required for their specific assigned engagement
• MFA: Multi-factor authentication enforced on all Google Workspace accounts, Razorpay, Vercel, and Make.com
• Password management: Strong unique passwords via password manager. No shared passwords permitted.
• Access revocation: Client-specific access revoked upon engagement completion. All access revoked immediately on departure of any personnel.

3. Data security in transit and at rest

• Encryption in transit: All data transmission encrypted via TLS 1.2 or higher. vextaudit.com operates exclusively over HTTPS.
• Encryption at rest: Client data in Google Workspace encrypted at rest using AES-256 by Google's infrastructure.
• Email authentication: SPF, DKIM, and DMARC configured for vextaudit.com to prevent spoofing.
• File sharing: Sensitive documents shared via password-protected Google Drive links with restricted access, revoked after engagement completion.

4. Device and endpoint security

• All work devices run current operating systems with security patches applied within 7 days of release for critical vulnerabilities
• Anti-malware software installed and active on all work devices
• Full-disk encryption enabled on all laptops used for client work
• Devices auto-lock after 5 minutes of inactivity
• Client data is not stored on unencrypted portable media or personal devices

5. Third-party security

All third-party processors are assessed before onboarding and hold at minimum ISO 27001 or SOC 2 certification. The Firm does not use any processor that does not meet this minimum standard. Certifications: Google Workspace (ISO 27001, SOC 2, PCI-DSS); Razorpay (PCI-DSS Level 1, ISO 27001); Vercel (SOC 2 Type 2); Make.com (ISO 27001).

6. Incident response

On a confirmed or suspected incident: contain within 1 hour; assess scope within 24 hours; notify affected B2B clients within 24 hours of confirmation to support their own notification obligations; notify the relevant data protection authority within 72 hours where required by applicable law (Data Protection Board of India for Indian data; relevant EU/UK/other authority for international clients' data); document in Security Incident Register. Contact support@vextaudit.com with subject "Security Incident" immediately if you believe your data has been compromised.

7. Responsible disclosure

Security vulnerabilities in the Firm's systems should be reported in accordance with the Responsible Disclosure Policy.

8. Contact