ResolvX is built on the premise that financial dispute resolution requires the highest standards of data protection. This page documents how we protect your data, our control environment, and our path to independent certification.
ResolvX is proud to showcase its six-phase GRC programme. Public documents link directly to the project repository.
Confidential documents require a signed NDA - request access via security@resolvx.io.
Security Posture
Our security programme is built across six phases, grounded in ISO 27001:2022, NIST CSF 2.0, and SOC 2 Trust Service Criteria.
Multi-factor authentication is enforced for 100% of users via Okta. Role-based access control with quarterly access reviews. Privileged accounts require hardware FIDO2 keys. Zero standing access to production data.
Hosted exclusively on AWS in EU regions (eu-west-1, eu-central-1). AWS GuardDuty active in all regions. CloudTrail logging with S3 integrity validation. All data encrypted at rest (AES-256) and in transit (TLS 1.3).
All endpoints managed via Jamf MDM. Full-disk encryption enforced on all devices. Screen lock after 5 minutes. Remote wipe capability tested quarterly. EDR agent deployed across 100% of fleet.
Snyk integrated into all CI/CD pipelines for SAST and SCA scanning. Patch SLAs: Critical within 24 hours, High within 72 hours, Medium within 30 days. AWS Inspector enabled. No unpatched critical vulnerabilities.
24/7 infrastructure monitoring via Datadog. GuardDuty threat detection with weekly findings review. Okta anomaly detection with impossible travel alerts. Centralised log management with 12-month retention.
Annual security awareness training for all staff. Phishing simulation programme. Role-specific training for engineers and privileged users. Security topics embedded in onboarding for all new hires.
Compliance Frameworks
We align our ISMS to leading international standards. Our Q1 2026 internal audit confirmed conformance across all tested controls.
| Framework | Scope | Status | Evidence | Last Assessed |
|---|---|---|---|---|
| ISO/IEC 27001:2022 | Full ISMS. Across all systems, data, and personnel | Aligned | Internal audit Q1 2026 · 0 major NCs |
Mar 2026 |
| SOC 2 Trust Service Criteria | Security, Availability, Confidentiality | Type II In Progress | Readiness: 88% · Observation period Aug 2026 | Mar 2026 |
| GDPR (EU) 2016/679 | All personal data processing activities | Compliant | ROPA maintained · DPAs executed · DSR process live | Mar 2026 |
| NIST CSF 2.0 | GV, ID, PR, DE, RS, RC functions | Aligned | Control matrix mapped · Gap analysis complete | Q4 2025 |
| NIST SP 800 - 61 Rev 2 | Incident response lifecycle | Implemented | IR plan, 3 runbooks, tabletop Feb 2026 | Feb 2026 |
| NIST SP 800 - 53B (Moderate Baseline) | Control selection reference | Reference | Used as supplementary control baseline | Q4 2025 |
Data Practices
We process financial dispute data on behalf of regulated financial institutions. Our data handling practices reflect the sensitivity of this responsibility.
Incident Response
ResolvX maintains a documented, tested incident response programme aligned to NIST SP 800-61 Rev 2. Our last tabletop exercise was conducted in February 2026.
Incidents detected via AWS GuardDuty, Datadog, Okta anomaly detection, or staff reports. Severity classified P1–P4 within minutes of detection.
Incident Response Team assembled. Affected systems isolated. Evidence preserved per chain-of-custody procedures. Out-of-band communications activated.
If your data is affected, we notify you as data controller within our DPA timelines (typically 24–72 hours). Personal data breaches notified to the Irish DPC within 72 hours of awareness.
Root cause remediated. Systems restored from verified clean backups. Service restored per defined RTOs. 72-hour post-recovery monitoring.
Lessons learned meeting within 5 business days of all P1/P2 incidents. Findings fed back into risk register and control improvements.
| Severity | Initial Response | Client Notification |
|---|---|---|
| P1 : Critical | 15 minutes | Within 24 hours |
| P2 : High | 1 hour | Within 48 hours |
| P3 : Medium | 4 hours | As required |
| P4 : Low | Next business day | N/A |
To report a suspected security incident: security@resolvx.io
For urgent P1 issues, your account manager has our emergency contact line.
Vendor Security
We operate a formal Third-Party Risk Management (TPRM) framework. All critical vendors are assessed annually. Data Processing Agreements are executed with every vendor that processes personal data.
| Vendor | Role | Risk Tier | SOC 2 / ISO 27001 | DPA Status | Data Processed |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud Infrastructure | Tier 1 | SOC 2 Type II · ISO 27001 | Active | All production data (EU regions) |
| Okta | Identity & Access Management | Tier 1 | SOC 2 Type II | Active | Employee identity (no client PII) |
| GitHub | Source Code Management | Tier 1 | SOC 2 Type II · ISO 27001 (Microsoft) | Active | Source code only (no client data) |
| Google Workspace | Email & Collaboration (EU residency) |
Tier 1 | SOC 2 Type II · ISO 27001 | Active | Internal comms (EU data residency) |
| Datadog | Monitoring & Observability | Tier 2 | SOC 2 Type II | Active | System logs (anonymised) |
| Stripe | Payment Processing (billing only) |
Tier 2 | PCI DSS Lvl 1 · SOC 2 Type II | Active | ResolvX billing only (no client data) |
Full sub-processor register available to clients upon request under NDA. Updated within 30 days of any material change.
Our GRC team is available to answer questions about our security programme, share additional documentation under NDA, or schedule a security review call.