ChangeBreeze

Security & Trust

How we protect your data and infrastructure

Security Overview

At ChangeBreeze, we treat all customer and infrastructure data as sensitive. Our platform is built with security as a foundational principle, not an afterthought.

We continuously evaluate and improve our security posture to meet the expectations of MSPs, IT teams, and enterprise customers.

Data Protection

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Secure Password Hashing: User passwords are hashed using strong, one-way cryptographic algorithms. We never store plaintext passwords.
  • Logical Tenant Isolation: Each organisation's data is logically isolated. Customer data is never shared with or accessible by other tenants.

Access Control & Identity

  • Role-Based Access Control (RBAC): Users are assigned specific roles with granular permissions. Access is granted based on job function and business need.
  • Least-Privilege Access: Internal access to production systems follows the principle of least privilege. Team members only have access to the resources required for their role.
  • Multi-Factor Authentication: MFA is available for all user accounts to provide an additional layer of security.
  • Session Management: User sessions are managed with secure tokens and automatic timeouts to reduce the risk of unauthorised access.

Audit Logging & Monitoring

  • Comprehensive Audit Logs: Key user and system actions are logged, including authentication events and configuration changes.
  • Abnormal Activity Monitoring: We review logs and leverage infrastructure-level monitoring to identify unusual activity.
  • Log Retention: Audit logs are retained in accordance with our data retention policies.

Infrastructure Security

  • Cloud-Hosted Infrastructure: ChangeBreeze is hosted on enterprise-grade cloud infrastructure with robust physical and environmental controls.
  • Network Firewalls & Isolation: Our network architecture includes firewalls and segmentation to limit exposure and contain potential threats.
  • DDoS Protection & WAF: We employ DDoS mitigation and Web Application Firewall (WAF) services to protect against volumetric and application-layer attacks.
  • Regular Patching & Updates: Systems are regularly patched and updated to address known vulnerabilities in a timely manner.

Secure Development Practices

  • Secure Coding Standards: Our development team follows secure coding guidelines to minimise the introduction of vulnerabilities.
  • Code Reviews: All code changes undergo peer review before deployment to production.
  • Dependency Management: We review and update third-party dependencies to address known vulnerabilities.
  • Controlled Change Management: Changes to production systems follow a documented change management process with appropriate approvals.

Incident Response

  • Documented Process: We maintain a documented incident response process to ensure timely and effective handling of security events.
  • Investigation & Remediation: Security incidents are investigated promptly, with root cause analysis and remediation actions taken as appropriate.
  • Customer Notification: In the event of a confirmed security incident affecting customer data, we will notify impacted customers in a timely manner.

Third-Party Risk Management

  • Vendor Selection: We carefully evaluate third-party vendors and service providers before engagement, considering their security practices and reputation.
  • Minimal Data Sharing: We limit the data shared with third parties to what is necessary for the service being provided.
  • Periodic Review: Third-party services are reviewed periodically to ensure they continue to meet our security expectations.

Customer Responsibilities

Security is a shared responsibility. While we secure the platform, customers play an important role in protecting their accounts and data:

  • Account Security: Customers are responsible for maintaining the confidentiality of their account credentials and for all activities under their accounts.
  • Permission Management: Customers should regularly review and manage user permissions within their organisation to ensure appropriate access levels.
  • MFA Enablement: We strongly recommend enabling multi-factor authentication for all user accounts.

Security Contact & Responsible Disclosure

We value the security research community and welcome responsible disclosure of potential vulnerabilities.

If you believe you have discovered a security vulnerability in ChangeBreeze, please report it to:

Email: [email protected]

Please include sufficient detail to allow us to understand and reproduce the issue. We ask that you:

  • Give us reasonable time to investigate and address the issue before public disclosure
  • Avoid accessing or modifying data that does not belong to you
  • Act in good faith to avoid privacy violations and disruption to our services

Questions? If you have security or compliance questions, please contact us at [email protected]. We're happy to discuss our security practices in more detail.

Security & Trust Terms of Service Privacy Policy Acceptable Use
← Back to ChangeBreeze