Trust & Security
How CMDBx protects data, enforces privacy, and maintains operational trust.
CMDBx is built for organizations that depend on accurate CMDB data to operate safely. Security, privacy, and operational trust are foundational to how the platform is designed and operated.
Security by Design
Read-only by default. CMDBx connects to ServiceNow using read-only access by default. No agents are installed, and no schema changes are required. Write-back capabilities, where enabled, are explicitly configured, permission-gated, audited, and disabled by default.
Data encryption.
- In transit: TLS 1.2+
- At rest: AES-256 encryption
- Backups: Encrypted and access-restricted
Tenant isolation. Each customer environment is logically isolated. Data is never shared across tenants, and access is restricted based on role-based permissions.
Access controls.
- Role-based access control (RBAC)
- Principle of least privilege
- MFA rollout is in progress (not yet universally enforced)
- Regular access reviews
Privacy & Data Handling
Data protection role. Customer: Data Controller. CMDBx: Data Processor. CMDBx processes data solely to provide CMDB analytics, visualization, and governance capabilities.
Data minimization.
CMDBx does not require personal data to function. Any personal data present in CMDB records (for example, owner fields or email addresses) is incidental and processed only as part of customer-provided configuration data.
- CMDBx does not sell customer data.
- CMDBx does not share customer data with third parties for marketing.
- CMDBx does not use customer data to train shared AI models.
GDPR support posture.
CMDBx does not currently represent a formal GDPR certification or legal attestation. We provide controls that help customers execute GDPR-related processes, including:
- Right of access
- Right to deletion
- Right to rectification
Requests can be submitted to [email protected] and are handled according to contractual obligations and applicable law where required.
Data retention & deletion. Customer data is retained only for the duration of the customer relationship or as contractually required. Upon request or contract termination, tenant data can be fully deleted within an agreed timeframe.
Compliance & Assurance
SOC 2 status. CMDBx is not yet SOC 2 certified. We have implemented controls aligned with SOC 2 Security criteria and maintain operational evidence for key control areas.
Incident response. CMDBx maintains a documented incident response process. In the event of a confirmed security incident affecting customer data, customers will be notified without undue delay and in accordance with applicable regulatory requirements. Security issues can be reported to [email protected].
Regulated Environment Security Baseline
- All integration tokens are time-bound and automatically expire.
- Credential encryption is fail-safe with no plaintext fallback paths.
- Only required CI metadata is retained; raw upstream payload over-collection is prevented.
- Security-sensitive actions are recorded in an append-only tenant-scoped compliance audit stream.
- Generated impact/remediation reports include verifiable provenance metadata.
- Automated retention and token hygiene jobs continuously enforce data lifecycle policy.
- Session policy controls are enforced consistently across protected UI and API flows.
- Token misuse and authorization-denied paths are captured as explicit compliance events.
Subprocessors & Infrastructure
CMDBx uses reputable cloud infrastructure and service providers to operate the platform. A list of subprocessors is available upon request. All subprocessors are contractually required to meet security and confidentiality obligations.
Support & Contact
Support and security requests are handled via structured, auditable channels.
- Support: [email protected]
- Security: [email protected]
- Privacy: [email protected]
All requests are tracked through auditable support workflows to ensure timely response and accountability.
Transparency & Responsibility
Security and trust are ongoing commitments. CMDBx continuously reviews and improves its controls as the platform evolves. If you have questions about our security posture or compliance approach, we are happy to discuss them.
Last updated: February 2026