Privacy Policy

What’s in this document

This document consolidates all the essential information regarding our privacy and security practices.

All required ISO 27001 and SOC 2 controls have been implemented. We are currently undergoing the official audit phase, expected to complete in Q3 2025.

This document addresses:

ISO 27001 and SOC 2 alignment
HIPAA, NIS2 and GDPR alignment
Our philosophy and commitment to privacy, security, and transparency.

Philosophy

Every bug, wish or feature is taken seriously, reviewed and if feasible implemented.
Privacy first, we understand your day-to-day responsibilities as MSP.
We work with MSPs for MSPs and continuously adapt to what our customers need and want.
We are responsible for your success. We build solutions that matter for you.
AI is the core of our strategy, but we act cautious. We prioritize professionalism, real-world use cases and privacy over hype.

Support

We monitor our systems 24×7. Incidents are reviewed and addressed without unnecessary delays.
Our team actively monitors our support email help@proxuma.io, alerts and incidents within office hours (from 08:30 to 17:00 GMT+1).
Response and Resolution Times are within office hours.
For issues involving external dependencies, Proxuma commits to proactive escalation and transparent communication to facilitate resolution. Timelines may vary based on the external provider’s response and resolution.

How We Prioritize and Fix Issues

Category	Description	Response Time	Resolution Time
Critical Errors	System downtime or blocking key functions.	< 2 hours	8 hours
Security Issues	Issues that threaten user data or compromise security.	< 2 hours	8 hours
Synchronization and API Errors	Proxuma addresses errors in system synchronization and API connectivity that are within our direct control and unrelated to external dependencies.	< 2 hours	8 hours for errors and resolution within our direct control.
Outdated Environment Bugs	Errors on outdated browsers, operating systems, or non-standard devices.	48 hours	Mutual agreement
Third-Party Caused Bugs	Bugs caused by third-party browser plugins or non-standard settings.	48 hours	Mutual agreement
Performance Limit Exceeded	Issues arising under load conditions exceeding agreed thresholds.	72 hours	Mutual agreement
Feature Requests	Additional features or improvements not included in the initial scope.	Scheduled	Mutual agreement

Security Measures

Organizational Security

Policies, procedures, and controls align with ISO 27001 and SOC2 standards to ensure privacy and security.
Third-Party Penetration Testing are conducted annually by experts to validate security Cloud Security
AWS Security Practices: Our infrastructure is hosted on AWS, which adheres to industryleading certifications, including ISO 27001, SOC 2, and GDPR compliance. You can find more information here.
Isolated Environments: We use AWS Virtual Private Cloud (VPC) to create isolated environments, ensuring secure data segregation and access control. You can find more information here.
Continuous Security Scanning: AWS GuardDuty enables continuous threat detection and security monitoring to protect against vulnerabilities. You can find more information here.
Compliance with CIS AWS Foundations Benchmark: Our infrastructure follows the Level 1 CIS AWS Foundations Benchmark for secure configuration and operational excellence.
Shared Responsibility Model: Proxuma and AWS operate under the shared responsibility model to ensure robust cloud infrastructure and customer data security. You can find more information here.

Uptime and Backups

Uptime: All services are hosted on AWS and PostgreSQL with multi-node configurations to ensure redundancy and load balancing. You can find the SLA here.
Backup: Daily backups are performed.

Our High Availability setup includes redundancies and automatic failovers.
We have a 30-day retention period.
Backups are AES-256 encrypted.

AI Security

Own AI Infrastructure: Proxuma operates its own secure AI server infrastructure, ensuring full control over data processing and storage while minimizing reliance on third-party systems.
Data Anonymization: Personally identifiable information (PII) is removed or masked before data processing.
Federated Learning: AI models are trained on decentralized data to prevent direct access to raw datasets.
Synthetic Data Creation: Artificial datasets replicate real-world patterns while preserving privacy.
Bias Auditing: Regular checks to ensure AI models operate fairly and equitably.
Differential Privacy: Adds statistical noise to datasets to prevent individual data extraction. You can find Immutable Audit Trails: Every action within the AI lifecycle is logged and stored in tamper-proof systems.
Role-Based Access Control: Ensures only authorized personnel can access AI-related systems and data.

Privacy Policy

Our Commitment

Proxuma is committed to safeguarding your personal information. We adhere to the General Data Protection Regulation (GDPR), ensuring your data is:

Collected lawfully.
Used transparently and purposefully.
Stored securely.

Why We Collect Data

We collect personal information to:

Provide and improve our services.
Address customer support requests.
Conduct targeted and non-targeted marketing activities (with opt-out options).
To improve the efficiency and accuracy of algorithms in solving customer issues.
Creating new tools and capabilities that benefit users, such as predictive insights and automation.
Advancing natural language processing (NLP) methodologies to stay ahead in innovation.

Cookies and Website Data

Purpose: To enhance user experience and develop online services.
Control: Users can accept or decline cookies via browser settings.
Note: Declining cookies may limit some website features.

Sensitive Information

Proxuma does not routinely collect or request sensitive personal data (such as health information, racial or ethnic origin, political views, religious beliefs, or biometric identifiers).

If sensitive data is pulled in via external APIs, Proxuma cannot control or filter it. Customers are fully responsible for ensuring such data is not shared unless necessary and that appropriate consent and safeguards are in place.

If the processing of such data becomes necessary for a specific functionality or legal obligation, we will:

Clearly inform you of the purpose and legal basis for processing. o Request your explicit consent before collecting or storing such data.
Apply enhanced security and access controls and enforce strict retention limitations.

Third-Party Data Sharing

We, in general, do not disclose Personal information, only:

With your consent.
When required by law.
To trusted third parties under strict agreements ensuring compliance with our privacy standards.

Data Security

Data is stored securely and encrypted to prevent misuse, unauthorized access, or disclosure.

Data is encrypted using AES256 at rest.
All in-transit communication uses TLS 1.2+.

Personal data is only retained as necessary, anonymized or deleted within 1-month postcancellation.

Backup retention is 30 days o Contractual/legal retention can extend to 7 years.

Compliance with GDP

Legal Basis for Processing

We process personal data based on the following principles:

Consent: You have provided clear permission.
Contractual Obligations: Necessary for delivering our services.
Legal Obligations: Required to meet regulatory and legal requirements.
Legitimate Interests: For operational improvements and marketing activities.

Your Rights

You have the right to:

Access: View and request copies of your personal data.
Correction: Request updates to incomplete or inaccurate data.
Erasure: Request deletion of your data when it is no longer necessary or when consent is withdrawn.
Data Portability: Receive your personal data in a structured, machine-readable format.
Withdraw Consent: Revoke previously granted consent for data processing.
Object to Processing: Challenge the processing of your data based on legitimate interests or direct marketing purposes.

Exercising Your Rights

To exercise your rights, contact us at help@proxuma.io Please note that identity verification may be required. If you are not satisfied with our response, you can escalate your concerns to the relevant Data Protection Authorities.

Updates and Questions

This policy is updated periodically and available on our website. For inquiries, contact help@proxuma.io

Annex A: Unified Overview

Framework	Area	Measures and Technologies
ISO 27001	Information Security Management System (ISMS)	Regular security audits, risk assessments, and a documented security policy. Internal audits, maintained security policies, and staff training.
ISO 27001	Access Control	RBAC, MFA, and restricted access. Laravel RBAC, AWS IAM policies, MFA for admin access.
ISO 27001	Data Encryption	Encryption at rest and in transit using SSL/TLS, AWS KMS, and PostgreSQL SSL connections.
ISO 27001	Secure Development Practices	Secure coding guidelines, code reviews, and SDLC following OWASP practices. Static code analysis and CI/CD security checks.
ISO 27001	Data Retention Policy	Daily Backup. Data retained for 30 days. Enforced with TTL and automated cleanup.
ISO 27001	Employee Access to Customer Data	Restricted to authorized personnel using RBAC and least privilege principles. IAM roles, access logs.
ISO 27001	Documentation Transparency	ISMS documentation and control mappings available upon request under NDA. Internal portal and audit packages.
HIPAA	Protected Health Information (PHI) Security	Encrypted PHI storage and transfer, access controls, regular audits, and monitoring.
HIPAA	Access Control	Strict PHI access controls with audit trails. Laravel Auth + AWS CloudTrail.
HIPAA	Data Integrity	Data integrity maintained with validation, constraints, logging, and backup checks.
HIPAA	Data Encryption	SSL/TLS for transit and encrypted AWS RDS databases at rest.
HIPAA	Regular Audits	Regular PHI access audits using AWS CloudWatch and CloudTrail.
GDPR	Data Protection and Privacy	Compliance with lawful, fair, transparent processing. Consent management, privacy policies, access rights.
GDPR	Right to Access and Erasure	Tools for user data access and deletion. Laravel user data management.
GDPR	Data Minimization	Minimal necessary data collected via validation, lifecycle management.
GDPR	Data Security	Encryption, access controls, secure APIs, and security assessments.
SOC 2	Security, Availability, and Confidentiality	Access controls, monitoring, encryption, and incident response.
SOC 2	Access Controls	Stringent access and logging. AWS IAM, CloudTrail, Laravel RBAC.
SOC 2	Monitoring and Alerts	Real-time monitoring and alerts. AWS CloudWatch, CloudTrail.
SOC 2	Incident Response	Incident response plans with training, drills, and escalation paths.
SOC 2	Backup Scope & Storage	Daily encrypted backups of non-API data, stored securely and encrypted with 30 days retention. AWS Backup, PostgreSQL snapshots.
SOC 2	Microsoft Integration Security	Graph API with scoped OAuth access. No impersonation. Verified Enterprise app, delegated access with MFA.
SOC 2 (CC3.2)	Protection Against Unauthorized Changes	Change approvals and configuration logging. Terraform, AWS Config, Git restrictions.
SOC 2 (CC5.1)	Access Management for Infrastructure	Least privilege, MFA, and logging. AWS IAM, MFA, CloudTrail.
SOC 2 (CC6.1)	Secure Configuration of Systems	Secure software environments. IAM policies, secure APIs, Git controls.
SOC 2 (CC6.2)	Protection Against Malware in Development	Isolated dev, anti-malware, restricted access.
SOC 2 (CC6.3)	Configuration Management of Infrastructure	Automated config management and monitoring. Terraform/Ansible, AWS Config.
SOC 2 (CC6.5)	Endpoint Security	Endpoint protection, restricted access, encryption.
SOC 2 (CC6.6)	Network Security	Firewalls, IDS/IPS, network segmentation, AWS VPC, Snort.
SOC 2 (CC6.7)	Encryption of Data in Transit	TLS, VPN, and encrypted DB connections. TLS 1.2/1.3, IPsec, RDS encryption.
SOC 2 (CC6.8)	Sensitive Data in the SDLC	Data masking in non-prod, encrypted storage. AES-256, masking tools.
SOC 2 (CC7.1)	Detection of Security Incidents	SIEM, alerting systems, log aggregation. CloudWatch, Splunk, Datadog, CloudTrail.
SOC 2 (CC7.2)	Evaluation and Remediation of Incidents	Incidents are reported in Jira. Includes classification and root cause analysis.
SOC 2 (CC7.3)	Incident Management	Documented response roles and testing. PagerDuty, tabletop exercises.
SOC 2 (CC7.4)	Software Release Management	CI/CD with approvals and logging. GitLab, Jenkins, signed artifacts.
SOC 2 (CC7.5)	Vulnerability Management	Vulnerability scanning, patching, reviews. Nessus, SonarQube, Qualys.
SOC 2 (CC8.1)	Communication of Security Incidents	Incident templates, notification processes. Internal communications and legal review.
SOC 2 (CC9.1)	Protection Against Data Loss	Secure, encrypted backups with retention testing. AWS Backup, encrypted S3, RDS.
SOC 2 (CC9.2)	Resilience and Redundancy	High availability architecture with DR testing. AWS ELB, Auto Scaling, DR playbooks.