Security and Privacy
at CMD+CTRL

As an application security training provider, we hold our internal systems, processes, and people to the same standards we advocate for our customers. Our formal security and privacy program is built on least-privilege access, layered controls, continuous improvement, and independent audits — led by dedicated Security and Privacy teams who define policy, monitor compliance, and validate our controls.

TRUST SNAPSHOT

At-a-Glance Security Overview

COMPLIANCE

SOC 2 Type II (Security, Availability & Confidentiality)

INDEPENDENT TESTING

Regular third-party penetration testing

DATA PROTECTION

Encryption of data at rest and in transit

ACCESS CONTROLS

Role-based access with strong authentication

SECURITY REPORTING

Dedicated vulnerability disclosure and support channels

Compliance & Assurance

CMD+CTRL maintains a SOC 2 Type II attestation, covering the Security, Availability, and Confidentiality Trust Services Criteria.

Independent audits and third-party assessments are used to validate the design and operating effectiveness of our security program. Customers and partners may request access to our SOC 2 report and related documentation through the CMD+CTRL Security Trust Center.

Enterprise Security

Data Protection & Encryption

CMD+CTRL protects customer data using industry-standard administrative, technical, and physical safeguards. We employ encryption at rest for customer databases and object storage, alongside TLS 1.2 or higher for data in transit. Furthermore, encryption keys and application secrets are securely managed and access-controlled to prevent unauthorized access, disclosure, or modification.

Application & Product Security

Security is embedded throughout our Secure Development Lifecycle. We conduct independent third-party penetration testing on applications and cloud infrastructure. Internally, we utilize automated security testing (SAST, DAST, SCA, and EASM) to identify vulnerabilities in custom code and dependencies. Continuous monitoring allows us to identify and respond swiftly to newly introduced risks. Penetration testing activities are made available in the Trust Center.

Corporate Security Controls

We apply rigorous controls across internal operations. Identity and access management enforces role-based access and strong authentication, while endpoint security controls protect corporate devices through centralized management. Secure remote access is mandatory for internal systems. Additionally, comprehensive security awareness training is provided to all employees annually, with specialized training for engineering roles.

Vendor Security

CMD+CTRL uses a risk-based vendor security review process to assess third parties prior to engagement. Vendors are evaluated based on factors such as data access, system integration, and potential business impact to ensure that third-party relationships do not introduce unacceptable risk to CMD+CTRL or its customers.

Assessment Criteria

  • Data access levels
  • System integration depth
  • Business continuity impact

Contact & Reporting

CMD+CTRL encourages responsible disclosure and welcomes questions regarding our security practices. We aim to acknowledge reported security issues within one business week.

Security concerns or vulnerabilities
security@cmdnctrlsecurity.com

Bug reports
bugbounty@cmdnctrlsecurity.com

Customer support inquiries
support@cmdnctrlsecurity.com

Frequently Asked Questions

Do you have a SOC 2 report?

3
2

Yes. CMD+CTRL maintains a SOC 2 Type II attestation. Access to the report is available to customers and qualified partners upon request through the Trust Center.

How is customer data protected?

3
2

Customer data is protected through encryption at rest and in transit, role-based access controls, and secure key management practices.

Do you perform penetration testing?

3
2
Yes. CMD+CTRL engages independent third-party security firms to conduct regular penetration testing of its products and cloud infrastructure.

How do you manage access to systems?

3
2
System access is granted based on role and business need, requires strong authentication, and is automatically revoked when access is no longer required.

How are employees trained on security?

3
2

All employees receive security awareness training during onboarding and annually thereafter. Engineering staff receive additional training focused on secure development practices.

How do you assess vendor security?

3
2

Vendors are assessed using a risk-based review process that considers their access to data, system integrations, and potential impact on CMD+CTRL and its customers.

How can I report a security issue?

3
2

Please report suspected security issues to security@cmdnctrlsecurity.com. We aim to acknowledge reports within one business week.