“Because one copy is never enough. Control-C safeguards your Xero ledgers, Cin7 inventory, and XPM workflows, captured, searchable, and recoverable when the cloud isn’t.”

Trust Center

Security, privacy, and compliance

Aggregate links to policies, attestations, and updates.

Visit legal center View status page

The Control-C Trust Center provides real-time visibility into our security, privacy, and compliance posture. Use this page to access independent attestations, review policies, and subscribe to updates affecting your business continuity programs.

Platform Security

  • Architecture: Multi-tenant, microservices-based platform deployed across redundant availability zones. Encryption at rest (AES-256) and in transit (TLS 1.2+) is enforced by default.
  • Identity & Access: Single sign-on (SAML, OIDC), SCIM provisioning, and mandatory MFA for privileged roles. Role-based access control enables least-privilege assignments.
  • Secure Development: Integrated secure SDLC, static analysis, dependency scanning, and peer-reviewed pull requests. Production deployments require automated and manual approvals.

Compliance and Certifications

  • SMB1001 Cyber Security Framework: Silver maturity certification renewed annually.
  • Alignment maintained with Essential Eight, UK Cyber Essentials, CMMC, ISO 27001, and Right Fit for Risk to simplify evidence crosswalks.
  • HIPAA Business Associate Agreement available upon request.
  • SMB1001 control mapping available for NIST CSF, CIS Critical Security Controls, and FFIEC-regulated workloads.

Request compliance documentation or complete due diligence questionnaires by emailing compliance@control-c.com.

Data Protection and Privacy

  • Privacy Policy and GDPR Statement outline lawful bases, rights management, and supervisory contacts.
  • Data residency options include U.S.-only, EU-only, or dual-region deployments. Encryption keys are managed through dedicated AWS KMS tenants.
  • Annual third-party penetration tests, quarterly tabletop exercises, and simulated phishing campaigns strengthen incident readiness.

Incident Response

  • 24/7 security operations with defined playbooks for vulnerability handling, data breaches, and platform outages.
  • Customer notifications delivered via the status page, email, and in-product alerts.
  • Post-incident reviews are shared with impacted customers, including root cause, remediation, and prevention steps.

Business Continuity

  • Continuous backups with 15-minute recovery point objective (RPO) and four-hour recovery time objective (RTO).
  • Disaster recovery tests conducted twice annually, with executive summaries available under NDA.
  • Vendor risk management program evaluates critical suppliers quarterly, aligning with our Subprocessor Registry.

Stay Informed

  • Subscribe to trust bulletins: trust@control-c.com
  • Report a vulnerability: security@control-c.com
  • Media or analyst inquiries: press@control-c.com

View live operational metrics and maintenance updates on the Control-C Status Page.

Last updated: March 20, 2025