Compliance
Controls aligned with SOC 2, ISO 27001, GDPR, CCPA and modern enterprise expectations.
Overview
Codexium aligns its security and privacy practices with leading frameworks such as SOC 2, ISO 27001, GDPR, and CCPA. Our objective is to provide a control environment that integrates smoothly into your own audit and governance processes.
Governance & Policy Framework
We maintain a structured set of policies covering information security, access control, software development lifecycle, incident response, data privacy, vendor management, and business continuity. Policies are reviewed at least annually and whenever there are major environment or regulatory changes.
SOC 2 / ISO 27001 Alignment
- Controls mapped to the SOC 2 Trust Services Criteria, including security, availability, confidentiality, processing integrity, and privacy.
- Internal practices aligned to ISO 27001 domains such as asset management, operations, supplier management, and development.
- Control matrices and policy summaries available under NDA to support your vendor assessments.
Privacy Regulations (GDPR / CCPA)
When Codexium processes personal data on your behalf:
- We act as a data processor under your documented instructions.
- Data is collected and used strictly for the agreed purposes and retained only as long as necessary.
- Data subject rights can be supported through defined operational processes, under your direction as controller or business.
Third-Party Risk Management
We evaluate critical third parties and sub-processors for:
- Security certifications and independent attestations.
- Data location, residency, and transfer mechanisms.
- Incident notification obligations and uptime commitments.
Shared Responsibilities
Client
- Define applicable regulatory obligations and internal policies.
- Maintain controls over end-user behavior and business processes.
- Conduct vendor due diligence as required.
Codexium
- Operate services in line with industry frameworks and client requirements.
- Provide documentation, responses, and evidence for audits.
- Maintain records of processing where applicable.
Cloud Provider
- Offer platform-level certifications and compliance documentation.
- Provide encryption, logging, and IAM primitives.