Security & Compliance — Headx Monitor

At a glance

Headx encrypts data in transit (TLS 1.3) and at rest (AES-256), runs in AWS Mumbai (ap-south-1) for Cloud, supports fully air-gapped On-Premise for regulated industries, and aligns with the IT Act 2000, IT Rules 2011, RBI cyber-security framework, IRDAI, and SEBI requirements.

In this document

Data protection
Data residency
Access controls
Agent (endpoint) security
Compliance frameworks
Reporting vulnerabilities
Incident response and notification
Sub-processors and data flows
Audits and assurance

Data protection

Encryption in transit

All traffic between the Headx agent, dashboard, and backend uses TLS 1.3 with modern cipher suites. Older TLS versions are disabled. HSTS is enforced with a 1-year max-age on all customer-facing endpoints.

Encryption at rest

All data stored by Headx Cloud is encrypted at rest using AES-256. Database volumes are encrypted with AWS KMS-managed keys. Object storage (screenshots, recordings) is encrypted server-side. On-Premise installations use the same cipher; key management is delegated to the customer's chosen KMS or OS-level key store.

Key management

Cloud customer-keys are stored in AWS KMS with annual rotation. Customer-managed key (CMK / BYOK) support is available on On-Premise. JWT secrets, database credentials, and third-party API tokens are stored in a dedicated secrets manager — never in source control or environment variables exposed in logs.

Data residency

Cloud: All Headx Cloud data is hosted in AWS Mumbai (ap-south-1). No replication outside India. Backup snapshots also reside in ap-south-1. We do not use US, EU, or Singapore regions for production Cloud workloads.

On-Premise: Data resides exclusively on customer infrastructure. Headx engineers can access On-Premise systems only via customer-initiated screen-share sessions for support; we hold no copy of customer data.

This satisfies the data-localisation requirements of the RBI Master Direction on IT Outsourcing, IRDAI Information and Cyber Security Guidelines, and the SEBI Cybersecurity Framework.

Access controls

Customer-side

Multi-factor authentication available on every user account (TOTP and SMS). Role-based access control with five default roles (super admin, admin, manager, auditor, viewer) and the ability to define custom roles with granular permissions. Session timeouts configurable per company. IP allowlist available for the admin panel.

Headx-side

Headx employees have no default access to customer data. Privileged-access workflows require:

Explicit customer ticket or approval
SSO + hardware-key MFA
Time-boxed access (auto-revoked after the support session)
Full session recording of any access action
Audit-log entry shared with the customer afterwards

Background-verified employees only. Quarterly access reviews for all internal systems.

Agent (endpoint) security

The Windows agent is:

Code-signed with an Extended Validation certificate
Submitted to all major AV vendors for proactive false-positive prevention
Pinned-certificate communication to prevent MITM
Runs as a service under a dedicated low-privilege account where the OS allows
Reverse-tampering resistant — uninstall requires admin privilege and is audit-logged
Supports off-line buffering with encrypted queue if network is unavailable

Compliance frameworks

India statutory

IT Act 2000 and 2008 amendment — security practices required under Section 43A
IT (Reasonable Security Practices) Rules 2011 — consent, notice, retention, breach reporting
DPDP Act 2023 — alignment in progress; granular consent flags ship today

Sector-specific

RBI Master Direction on Outsourcing of IT Services (April 2023), Cyber Security Framework for Banks (June 2016)
IRDAI Information and Cyber Security Guidelines (2017, current)
SEBI Cybersecurity and Cyber Resilience Framework (August 2022)
NDHM / DISHA (draft) — healthcare data handling principles incorporated

International (alignment, not yet certified)

ISO 27001:2022 — controls mapped, certification in progress (target Q2 2026)
SOC 2 Type 2 — audit in progress (target Q3 2026)
GDPR — Article 28 DPA template available for EU-headquartered customers with Indian operations

Honest disclosure: ISO 27001 and SOC 2 Type 2 certifications are in progress. We do not claim either today. Customers requiring these certifications before purchase should ask sales for the latest audit timeline and any interim attestation documents.

Reporting a vulnerability

If you discover a security vulnerability in Headx, please report it to security@headx.in with:

A description of the issue and reproduction steps
Affected endpoint or page
Severity assessment (your view)
Any proof-of-concept code (please do not include real customer data)

We acknowledge within 4 hours (24x7), confirm the issue within 48 hours, and target a patch within 14 days for high-severity issues. Responsible disclosure researchers are eligible for a public credit on our security page and (case-by-case) a bug bounty in INR.

Please do not: publicly disclose the issue before we have responded, attempt to access customer data not your own, or DDoS production systems as part of testing.

Incident response and notification

Headx maintains a documented incident response runbook with the following commitments:

Detection — 24x7 monitoring with alerting on anomalous infrastructure activity
Containment — within 2 hours of confirmed incident
Customer notification — affected customers notified within 72 hours of confirmation (DPDP Act 2023 alignment)
Public disclosure — within 30 days of resolution if customer data was affected
Post-mortem — published to affected customers within 30 days of resolution

Sub-processors and data flows

For Cloud customers, the following sub-processors handle data on our behalf:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Compute, storage, database	Mumbai, India (ap-south-1)
Cloudflare	CDN, DDoS protection, WAF	Global edge (data does not leave India for processing)
Cashfree Payments	Payment processing	India
Razorpay	Payment processing (alternative)	India
Postmark / Resend	Transactional email	US (no customer activity data shared)

On-Premise customers have zero sub-processors — all data flows are inside the customer's own infrastructure.

Audits and assurance

Available to customers under NDA:

Penetration test summary (latest: Q1 2026, conducted by external firm)
Security questionnaire responses (SIG, CAIQ, customer-specific)
Data Processing Agreement (DPA) signed by our authorised signatory
Sub-processor list with annual review
Incident response playbook (redacted)

Request via security@headx.in or sales@headx.in.

Ready to try Headx on your team?

Cloud from ₹1,900/PC/month or On-Premise from ₹1,499/PC/month. 30-day money-back guarantee on the Cloud plan.

Get Started

Third-party product names mentioned on this page are trademarks of their respective owners. All comparisons are based on publicly available information at the time of writing and are presented for informational purposes only.