INSIDX SECURITY & COMPLIANCE STATEMENT

Security, reliability, and transparency are core principles guiding how INSIDX For Data Exchange LLC (“INSIDX”, “IDX”, or “Company”) designs, operates, and delivers its infrastructure, hosting, and cloud services.

This page describes INSIDX’s general security posture, operational practices, and compliance alignment for informational and transparency purposes only.

This Statement does not create any contractual obligation, warranty, or legal liability, and does not modify or override the INSIDX Master Services Agreement (“MSA”), Terms of Service (“TOS”), or Data Processing Agreement (“DPA”), which shall exclusively govern all services provided by INSIDX.

1. INFORMATION SECURITY

INSIDX implements commercially reasonable and industry-recognized security measures, appropriate to the nature and scope of the services provided.

Access Control
Access to systems is restricted to authorized personnel based on role-based access control (RBAC) and the principle of least privilege, where applicable.

Authentication
Strong authentication mechanisms are implemented, including password policies and multi-factor authentication where supported by the underlying platform or service scope.

Data Encryption
Encryption technologies such as TLS/SSL are used for data in transit. Encryption of data at rest may be implemented where technically feasible and appropriate to the service configuration.

Monitoring & Logging
Systems may be monitored, where applicable, for operational performance, security events, and unauthorized access attempts, in accordance with service scope and technical feasibility.

2. SYSTEMS & INFRASTRUCTURE

Physical & Environmental Security
INSIDX services are delivered from infrastructure operated by INSIDX and/or trusted third-party providers utilizing secure data center environments with controlled physical access and environmental safeguards.

Resiliency & Backups
Where explicitly included as part of a purchased managed service or backup offering, resiliency measures, backups, and disaster recovery mechanisms may be implemented on a best-effort, non-guaranteed basis.
Unmanaged services do not include backups unless expressly stated in writing.

Sub-Processors & Vendors
INSIDX engages sub-processors and vendors that are contractually required to maintain security measures commercially aligned with INSIDX’s security expectations. INSIDX does not control and does not guarantee the internal security practices of third-party providers.

3. COMPLIANCE & DATA PROTECTION

GDPR Alignment
Where applicable, INSIDX processes personal data as a Data Processor under the instructions of the Customer acting as Data Controller, in accordance with the INSIDX Data Processing Agreement (DPA) and GDPR-aligned principles.

Legal & Regulatory Compliance
INSIDX endeavors to comply with applicable laws and regulations in jurisdictions where it operates, subject to the nature of the services provided and applicable contractual scope.

Data Retention
Client data is retained only as required to deliver the services or to comply with applicable legal or contractual obligations.

4. INCIDENT MANAGEMENT

Detection & Response
Security events may be logged, analyzed, and addressed in accordance with internal procedures and service scope.

Notification
Where required by applicable law or contractual obligation, INSIDX may notify affected customers of confirmed security incidents involving personal data.

Continuous Improvement
INSIDX periodically reviews and enhances its security practices as part of ongoing operational risk management.

5. SECURITY & COMPLIANCE LIMITATIONS

INSIDX implements best-effort, commercially reasonable security controls, but does not and cannot guarantee absolute security or uninterrupted service availability.

INSIDX shall not be responsible for security incidents, data loss, or service impact resulting from:

• Customer actions or misconfigurations

• Application-level vulnerabilities

• Unmanaged service usage

• Customer failure to implement appropriate security controls

• Third-party provider failures beyond INSIDX’s reasonable control

OUR INFRASTRUCTURE MODEL

INSIDX operates a hybrid infrastructure model, combining:

• INSIDX-managed servers and platforms

• Infrastructure hosted within internationally recognized third-party data centers

This model enables flexible, scalable service delivery while applying consistent operational and security oversight appropriate to each service type.

SECURITY & COMPLIANCE ALIGNMENT

INSIDX’s internal processes and service designs are intended to align with recognized international security and privacy frameworks, including:

ISO/IEC 27001 – Information Security

INSIDX security practices follow ISO 27001-aligned principles such as:

• Risk assessment and continuous improvement

• Access control and change management

• Asset and configuration management

GDPR – Data Protection & Privacy

INSIDX applies GDPR-aligned principles, including:

• Lawful and transparent processing

• Data minimization and purpose limitation

• Technical and organizational safeguards

PCI DSS – Secure Infrastructure Support

INSIDX infrastructure is designed to support PCI DSS-compliant environments where required by customers, including:

• Network segmentation and firewalling

• Secure system configurations

• Monitoring and access logging

INSIDX does not claim formal certification under ISO, PCI DSS, or any regulatory framework unless explicitly stated in writing.

SHARED RESPONSIBILITY MODEL

Security and compliance operate under a shared responsibility model.

INSIDX is responsible for:

• Infrastructure-level security controls

• Platform-level operational safeguards (where applicable)

Customers are solely responsible for:

• Application security

• Data classification and usage

• Regulatory compliance specific to their business

• Secure configuration of unmanaged services

Failure by the customer to fulfill these responsibilities releases INSIDX from any related liability.

CONTINUOUS IMPROVEMENT

INSIDX continuously invests in improving its security posture, operational maturity, and compliance readiness. Expanded compliance scopes and formal certifications may be pursued as part of INSIDX’s ongoing roadmap but are not guaranteed.

QUESTIONS & DUE DILIGENCE

For security questionnaires, audits, or compliance-related inquiries, customers may contact INSIDX for reasonable cooperation and transparency.

LEGAL NOTICE

This page is provided for informational purposes only and does not constitute a warranty, guarantee, certification, or formal compliance attestation.

All services are governed exclusively by the INSIDX MSA, TOS, and DPA.

INSIDX For Data Exchange LLC
legal@insidx.com
www.insidx.com