Rhenyx · Security

Security.

Effective[Insert Date]Last updated[Insert Date]

A note before you read

This page describes how we protect your data — the technical measures, the operational practices, and what to do if you find something that needs attention.

For security questions or to report a vulnerability, reach us at security@rhenyx.com.

Our approach to security.

Security is foundational to how we build and operate Rhenyx. The data you trust us with — your leads, campaigns, CRM records, and operational decisions — is what powers your marketing organization. Protecting it isn't a feature; it's the baseline expectation.

This page describes the technical and organizational measures we take to protect your data, the standards we hold ourselves to, and how to reach us if you find something that needs attention.

The measures described here apply to the marketOS platform, our website, and the internal systems we use to operate the Service.

Where your data is stored.

Rhenyx stores data with reputable cloud infrastructure providers. Your data is stored in secure data centers and is not transferred or stored in geographic locations without adequate data protection standards in place.

Our infrastructure providers maintain industry-recognized certifications (including ISO 27001, SOC 2, and equivalent regional standards) and are contractually required to maintain physical and operational security controls appropriate to the data they host on our behalf.

For specific information about where your workspace data is stored, contact security@rhenyx.com.

Encryption.

In transit

All data transmitted between your browser and our platform is encrypted using industry-standard TLS (Transport Layer Security). This applies to every interaction with the marketOS platform, our website, and our APIs.

We do not accept connections over insecure protocols. Legacy TLS versions and weak cipher suites are disabled.

At rest

Data at rest is encrypted using AES-256-GCM, a strong, industry-standard symmetric encryption algorithm. This includes your account data, platform operational data, and stored credentials for connected integrations.

Key management

Encryption keys are managed through a dedicated key management service operated by our infrastructure provider. Keys are rotated regularly, and access to key material is restricted to authorized personnel through audited workflows.

Access controls.

Access to customer data within Rhenyx is restricted to personnel who need it to perform their role. We enforce role-based access controls and regularly review who has access to what.

Principle of least privilege

Employees are granted the minimum level of access required to perform their job. Access to production systems and customer data is granted only to engineers and operators with a documented business need.

Authentication for employees

All Rhenyx employees and contractors authenticate to internal systems through single sign-on with mandatory multi-factor authentication. Access to production systems requires additional authentication steps.

Customer account security

We support strong password requirements for customer accounts. Workspace administrators can manage user roles and permissions within their workspace. Single sign-on (SSO) options are available on supported plans.

Access reviews

We conduct regular reviews of who has access to internal systems and customer data. Access is revoked promptly when employees change roles or leave the company.

Credential security.

API credentials, OAuth tokens, and authentication secrets for third-party integrations are sensitive data. We handle them with the same care we apply to customer payment information.

  • Credentials are stored in encrypted form at rest and are never exposed in plaintext inside the platform.
  • Credentials are only decrypted at the moment a service call requires them, and only in memory within the systems that need them.
  • Customer credentials are isolated by workspace — they are never accessible across workspace boundaries.
  • Logs and error reporting systems are configured to redact credential material so it never appears in observability tooling.

You can revoke credentials at any time by disconnecting the relevant integration from your account settings.

Infrastructure security.

Our hosting infrastructure is maintained with regular security patches and monitored for anomalous activity.

Patching and vulnerability management

We track security advisories for the software components we run and apply patches in accordance with severity-based timelines. Critical vulnerabilities are remediated as a priority.

Network security

Production infrastructure is isolated from public networks behind firewalls and access control lists. Administrative access is restricted to specific authorized networks and authenticated endpoints.

Secure development

Code changes go through peer review before deployment. We use automated tools to scan our codebase for known vulnerabilities and exposed secrets. Production deployments are logged and auditable.

Separation of environments

Development, staging, and production environments are fully separated. Customer data does not exist in development or staging environments.

Monitoring and logging.

We continuously monitor the health and security posture of our platform.

  • Application logs capture request activity, errors, and key operational events. Sensitive data is redacted before logs are stored.
  • Security monitoring watches for anomalous access patterns, failed authentication attempts, and indicators of compromise.
  • Alerting notifies our on-call engineering team of incidents in real time so we can respond promptly.

Logs are retained for periods consistent with operational needs and regulatory requirements.

Backups and recovery.

Customer data is backed up regularly to support disaster recovery. Backups are encrypted at rest with the same standards applied to live data.

We maintain documented procedures for restoring service in the event of an infrastructure failure or data loss event. Recovery objectives are reviewed periodically and tested.

If you have specific business continuity questions or need information about our recovery posture for vendor assessments, contact security@rhenyx.com.

Incident response and breach notification.

We maintain an incident response process to detect, contain, and remediate security incidents quickly.

Detection and triage

Incidents identified through monitoring, customer reports, or external disclosure are triaged based on severity and customer impact. Critical incidents are escalated immediately to senior engineering and leadership.

Containment and recovery

Once an incident is confirmed, our response team works to contain the impact, recover affected systems, and restore normal operations. We preserve evidence for post-incident analysis.

Customer notification

If a security incident affects your data, we will notify you promptly and in accordance with applicable legal requirements. Notifications will include, where known: the nature of the incident, the data affected, the steps we are taking, and any actions you should consider taking.

Post-incident review

After every significant incident, we conduct a post-mortem to identify root cause and corrective actions. The goal is to make the platform more resilient over time.

Responsible disclosure.

If you believe you've found a security vulnerability in Rhenyx, we want to hear from you. Responsible reporting from the security community is one of the most valuable inputs to our security program.

How to report

Email security@rhenyx.com with:

  • A description of the issue and where you found it
  • Steps to reproduce the vulnerability
  • Any proof-of-concept material (with sensitive data redacted)
  • Your contact information so we can follow up

What we ask

  • Give us a reasonable opportunity to investigate and fix the issue before public disclosure
  • Do not access, modify, or delete data that doesn’t belong to you
  • Do not exploit the vulnerability beyond the minimum necessary to demonstrate impact
  • Do not run automated scans that could degrade service for other customers

What we'll do

We'll acknowledge your report within 5 business days, work with you to understand the issue, and keep you informed as we remediate. We'll credit you publicly if you'd like that recognition once the fix is in place.

A note on absolute security.

No system can guarantee complete security. While we implement strong protections, we cannot warrant that unauthorized access, data loss, or breach will never occur. The security of your account also depends on practices on your side — including the strength of your password, the security of the devices you access the Service from, and the care you take with credentials for connected integrations.

If you suspect that your account has been compromised or that your data has been improperly accessed, contact security@rhenyx.com immediately.

This Security page describes the measures we take but does not modify our obligations under the Terms of Service or the Privacy Policy, which govern your use of the Service.

How to reach our security team.

For all security-related inquiries:

For urgent security matters, please include “URGENT” in the subject line. We aim to acknowledge urgent reports within 24 hours.