Ibex Trust Center

Technical and Organizational Security Measures

Updated May 30, 2025 

Ibex’s technical and organizational measures, including those designed to ensure the security of Customer Personal Data, are documented herein and maintained at its Trust Center (https://www.ibex.co/company/ibex-trust-center/). These measures form part of the Services agreement and are reviewed and updated as necessary to remain aligned with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR). 

Encryption of Personal Data  

All data, including personal data, is encrypted in transit using TLS encryption technology with the latest TLS version and certificates. TLS connections are negotiated for at least 256-bit encryption or stronger. Personal data (if stored) is encrypted at rest using a minimum of AES-256 or equivalent encryption. Encryption keys are managed in accordance with industry standards, and access to keys is restricted to authorized personnel. 

Confidentiality, Integrity, Availability and Resilience of Systems and Services 

Confidentiality and integrity are ensured through the following controls:  

Access Control: 

Buildings are protected with appropriate access control systems based on a security classification of the buildings and an appropriately defined access authorization concept. Buildings are secured by access control measures using a card reader system. Depending on the security category, property, buildings or individual areas are secured by additional measures such as special access profiles, separation locks, video surveillance, metal detectors and security personnel. Access rights for authorized persons are granted individually according to defined criteria. This also applies to external persons. 

System Access Control: 

Access to data processing systems is only granted to authenticated users based on a role-based authorization concept using the following measures: Multi-factor authentication (MFA), Data encryption, individualized password assignment (at least 12 characters, regularly automatic expiration), employee ID cards, password-protected screen savers in case of inactivity, intrusion detection and intrusion-prevention systems, regularly updated anti-malware and spyware filters in the network and on the individual PCs and mobile devices. 

Data Access Control: 

Ibex maintains comprehensive administrative, physical, and technical safeguards to control access to Personal Data and ensure its confidentiality, integrity, and availability. These safeguards include: 

  • Role-Based Access Controls (RBAC): Access to systems and data is granted based on the principle of least privilege and strictly limited to personnel whose job responsibilities require such access. Roles are defined and assigned based on job function, and access is reviewed periodically to ensure continued appropriateness. 
  • Authentication and Authorization: Remote access to production systems requires authentication using multi-factor authentication (MFA). User accounts must follow strict password policies, including minimum length, complexity requirements, and regular expiration. Users are alerted on weak or compromised passwords and required to immediately change passwords. All access is logged and monitored. 
  • Provisioning and Deprovisioning: Access rights are provisioned through a documented and auditable process. New access requires management approval and IT Security review. Access is revoked promptly upon employee termination, role change, or end of assignment.  
  • Privileged Access Management: Elevated or administrative access is managed through dedicated privilege access management solution and further restricted using dedicated credentials and monitored through session recording or real-time logging tools. Administrative accounts are limited, and their use is subject to additional approvals and audits. 
  • Audit Logging and Monitoring: All access to systems containing Personal Data is logged. Logs include timestamps, user identity, accessed resources, and actions taken. Logs are protected against unauthorized alteration and are regularly reviewed for suspicious activity by the Security Operations Center (SOC). 
  • Segregation of Duties: Controls are in place to ensure that no individual has unchecked access to initiate and approve critical system changes or data handling operations. System and network administration duties are segregated from operational and development responsibilities. 
  • Remote Access Controls: Where remote access to Personal Data is required, it is secured using multi-factor authentication, encrypted VPN connections, endpoint protection measures, and company-managed devices. Personal or unmanaged devices are not permitted to access systems containing Personal Data unless explicitly approved and secured through mobile device management (MDM). 
  • User Awareness and Enforcement: All users with system access are required to complete security awareness training annually and confirm their understanding of confidentiality obligations. Disciplinary measures may be taken in the event of information security and acceptable use policy violations. 

Where access is controlled by customer, the responsibility of implementing secure access control procedures belongs to customer  including but not limited to provisioning, de-provisioning and user access reviews. 

Systems and services constant availability and reliability are ensured by taking the following measures: 

Availability and resilience of systems and services are ensured by isolating critical IT and network components, by providing adequate backup and redundancy systems and networks, using uninterruptible power supplies (UPS) and power redundancy systems, multiple network links and regularly testing of systems and services. Test and live systems are kept completely separated. 

Availability and Access to Personal Data in the Event of an Incident 

The availability of and access to personal data in the event of a physical or technical incident shall be restored by taking the following measures: Personal data is stored in RAID systems and integrates redundant systems according to security marking. Systems for uninterruptible power supplies (e. g. UPS, batteries, generators) are used to secure the power supply in the used data centers. Additionally, databases or data centers are mirrored in different physical locations. 

Ibex has a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity, with events that directly impact customers are assigned the highest priority. This process includes procedures for notification, escalation, mitigation, and documentation. Key staff is trained in incident response and handling evidence in preparation for an event, including third- party and proprietary tools. Ibex ensures timely resolution of security incidents through a defined escalation and response protocol. data, Ibex will promptly inform the customer and support investigative efforts via our security team. 

Ibex’s Incident Response Plan includes notifying affected customers of privacy incidents without undue delay and following the terms specified in the Agreement and/or DPA. Ibex would notify affected customers of any actual or reasonably suspected unauthorized access, use, modification, or disclosure of Customer Data by Ibex or its Sub-processors. We will coordinate communication between the technical support and the points of contact Ibex has on record. 

The breach notification would, to the extent available, contain a high-level overview of who was impacted, when they were impacted, and the current mitigation status. 

Control Procedures to ensure the Safety of Processing 

A control procedure based on a risk-management-based approach is maintained, taking into account the ISO/IEC 27001 requirements for the regular review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure security of processing. This ensures the protection of relevant information, applications (including quality and safety test methods), operating environments (e.g., by network monitoring against harmful effects) and the technical implementation of protection concepts (e.g., by means of vulnerability analyses). By systematically detecting and eliminating weak points, the protective measures are continuously questioned and improved. 

Monitoring of the Subservice Organization 

Ibex management performs an annual review of the System and Organization Controls (SOC) 2, Type 2 report that is issued on an annual basis, as well as any applicable bridge letters. Management’s review consists of ensuring the complementary user entity controls are met and analyzing any findings for impact on the organization. Ibex contractually requires subprocessors to implement appropriate technical and organizational measures and performs periodic reassessments of subprocessor controls 

Application and Development Maintenance 

Ibex has a well-defined System Development Life Cycle (SDLC) methodology that governs the application development and change management process. Ibex enforces that the SDLC policies and procedures are reviewed annually and are updated on an as-needed basis to reflect environment or regulatory changes. Security is baked in each step in SDLC and includes but not limited to secure code reviews, secure development practices training, security and penetration testing of the applications etc. 

Personnel Measures 

 All personnel with access to personal data are subject to written confidentiality obligations, and regular training on data protection and secure processing.  Where lawful, background checks are conducted. Training is refreshed annually and reinforced through periodic awareness campaigns. Personnel are instructed to follow the terms of the Agreement, the DPA, and related procedures. 

Data Minimization and Retention 

Ibex ensures personal data is processed only to the extent necessary for the agreed purposes and is retained in accordance with the data minimization principle. Secure deletion processes are implemented when data is no longer needed.   

Support for Data Subject Rights 

Ibex will assist the data exporter in responding to data subject requests, including access, rectification, restriction, and erasure, in accordance with the GDPR and the Services agreement.