Security & Compliance

Effective date: 29 September 2025

CX Horizon (“we,” “us,” “our”) is committed to protecting client and visitor data. Our controls are designed to align with industry best practices and the Philippine Data Privacy Act of 2012 (DPA) and National Privacy Commission (NPC) guidelines.

1) Physical & Site Security

Restricted access: RFID/biometric entry to controlled areas; visitor sign-in procedures.
On-site security: 24/7 personnel and CCTV in partner facilities supporting delivery.
Device restrictions: USB ports disabled on production machines; personal devices restricted in secure zones.

2) Network & Infrastructure

Segmentation & firewalls: Segregated environments; least-privilege network rules.
Hardened endpoints: Baseline configurations, patching cadence, anti-malware/EDR.
Secure connectivity: Encrypted transport (TLS) for data in transit.

3) Application & Access Controls

Identity & access management: Role-based access, unique accounts, strong authentication.
Principle of least privilege: Access granted on a need-to-know basis with periodic reviews.
Change management: Documented change control for systems and configuration.

4) Data Protection

Data minimization: We collect only what’s necessary to respond to inquiries and deliver services.
Encryption: Data is encrypted in transit; encryption at rest is applied where technically feasible and risk-appropriate.
Retention & disposal: Time-bound retention with secure deletion of records no longer required.

5) Business Continuity & Disaster Recovery

Backups: Routine, automated backups of critical systems.
Multi-region DR (where applicable): Warm/hot standby capability in partner environments.
Exercises: Periodic DR drills with documented outcomes and corrective actions.

6) Security Monitoring & Incident Response

Monitoring: 24/7 NOC/SOC-style coverage through partner facilities and tooling.
Incident handling: Severity classification (SEV-1 to SEV-4), containment/eradication, and post-incident RCA shared with affected clients.
Reporting channel: See “Report a Security Concern” below.

7) Vendor & Subprocessor Management

Due diligence: Security and privacy reviews of hosting, tooling, and service providers.
Contracts: Data-protection commitments and confidentiality obligations.
Ongoing oversight: Re-assessment aligned to risk and material changes.

8) People & Training

Confidentiality: Staff NDAs and confidentiality obligations.
Awareness: Security and privacy training upon onboarding and periodically.
Acceptable use: Clear policies covering systems and data handling.

9) Compliance Posture

DPA/NPC: Program aligned with the Philippine Data Privacy Act and NPC guidance (data subject rights, breach notification, safeguards).
Certifications: Our delivery operations may leverage partner facilities that maintain internationally recognized certifications such as ISO/IEC 27001 and SOC 2 Type II. (Note: certifications are held by partner facilities; CX Horizon itself does not claim certification unless explicitly stated in a client agreement.)

10) Client Data Processing

We can act as a data processor for clients. A Data Processing Addendum (DPA/DPAU) is available on request, covering roles, instructions, confidentiality, security, breach notification, subprocessing, and cross-border transfers.

Report a Security Concern

If you believe you’ve found a security or privacy issue, please contact us at info@cxhorizon.com.

Include a description of the issue, steps to reproduce, and any relevant URLs or request IDs. We will acknowledge receipt, investigate, and provide an appropriate response in line with our incident process.

Security & Compliance

Effective date: 29 September 2025

CX Horizon (“we,” “us,” “our”) is committed to protecting client and visitor data. Our controls are designed to align with industry best practices and the Philippine Data Privacy Act of 2012 (DPA) and National Privacy Commission (NPC) guidelines.

1) Physical & Site Security

Restricted access: RFID/biometric entry to controlled areas; visitor sign-in procedures.

On-site security: 24/7 personnel and CCTV in partner facilities supporting delivery.

Device restrictions: USB ports disabled on production machines; personal devices restricted in secure zones.

2) Network & Infrastructure

Segmentation & firewalls: Segregated environments; least-privilege network rules.

Hardened endpoints: Baseline configurations, patching cadence, anti-malware/EDR.

Secure connectivity: Encrypted transport (TLS) for data in transit.

3) Application & Access Controls

Identity & access management: Role-based access, unique accounts, strong authentication.

Principle of least privilege: Access granted on a need-to-know basis with periodic reviews.

Change management: Documented change control for systems and configuration.

4) Data Protection

Data minimization: We collect only what’s necessary to respond to inquiries and deliver services.

Encryption: Data is encrypted in transit; encryption at rest is applied where technically feasible and risk-appropriate.

Retention & disposal: Time-bound retention with secure deletion of records no longer required.

5) Business Continuity & Disaster Recovery

Backups: Routine, automated backups of critical systems.

Multi-region DR (where applicable): Warm/hot standby capability in partner environments.

Exercises: Periodic DR drills with documented outcomes and corrective actions.

6) Security Monitoring & Incident Response

Monitoring: 24/7 NOC/SOC-style coverage through partner facilities and tooling.

Incident handling: Severity classification (SEV-1 to SEV-4), containment/eradication, and post-incident RCA shared with affected clients.

Reporting channel: See “Report a Security Concern” below.

7) Vendor & Subprocessor Management

Due diligence: Security and privacy reviews of hosting, tooling, and service providers.

Contracts: Data-protection commitments and confidentiality obligations.

Ongoing oversight: Re-assessment aligned to risk and material changes.

8) People & Training

Confidentiality: Staff NDAs and confidentiality obligations.

Awareness: Security and privacy training upon onboarding and periodically.

Acceptable use: Clear policies covering systems and data handling.

9) Compliance Posture

DPA/NPC: Program aligned with the Philippine Data Privacy Act and NPC guidance (data subject rights, breach notification, safeguards).

10) Client Data Processing

We can act as a data processor for clients. A Data Processing Addendum (DPA/DPAU) is available on request, covering roles, instructions, confidentiality, security, breach notification, subprocessing, and cross-border transfers.

Report a Security Concern

If you believe you’ve found a security or privacy issue, please contact us at info@cxhorizon.com.

Include a description of the issue, steps to reproduce, and any relevant URLs or request IDs. We will acknowledge receipt, investigate, and provide an appropriate response in line with our incident process.

Address:

CX Horizon Services

1702/2 High Street Corporate Plaza 26th Street, Bonifacio Global City Taguig 1630, Philippines

Start Your Journey Toward Smarter, Scalable Teams.

Please fill out the form, and a CX Horizon advisor will connect with you shortly

1702

High Street Corporate Plaza

Tower 2

26th Street

Bonifacio Global City

Taguig City 1630

Philippines

Privacy Policy

Terms of Use

Accessibility

Security & Compliance

Cookies

1702/2 High Street Corporate Plaza
26th Street, Bonifacio Global City
Taguig 1630, Philippines