Skip to Content

Security Policy

Our Security Policy was last updated on May 2026.

Please read the Security Policy carefully before using Our Service.


Our Commitment to Security

At Cudio, we handle sensitive business data on behalf of our clients every day.  As a technology services company specializing in business systems integration, we understand that the platforms we implement and maintain are central to your operations. Protecting your data and earning your trust is a responsibility we take seriously.

This policy outlines the practices and standards we follow to keep your information secure.


1. Data We Handle

In the course of delivering our services, we may have access to a range of business data belonging to our clients. This can include data held within Odoo and other business systems and platforms that are part of the engagement, such as financial/payment, operational, HR, or customer data.

We access client data only to the extent necessary to deliver agreed services. We do not sell, share, or use client data for any purpose beyond the engagement.


2. Access Control

Least privilege: Our staff are granted access only to the systems and data required for their specific role or project. Access is never broader than necessary.

Client system access: Access to client systems and environments is strictly limited to team members actively working on that engagement. Access is revoked promptly at project completion or upon staff departure.

Authentication: All employees are required to use strong, unique passwords and multi-factor authentication (MFA) for all systems, including internal tools, cloud services, and any client environments we administer.

Access reviews: Access rights are reviewed periodically (at minimum quarterly) to ensure they remain appropriate for each individual's current role and responsibilities. 


3. Device and Endpoint Security

All devices used by Cudio employees to access client systems or company data must meet the following standards:

  • Full-disk encryption enabled
  • Up-to-date operating system and software, with security patches applied promptly
  • Endpoint protection (antivirus/anti-malware) installed and active
  • Screen lock enabled with a short inactivity timeout
  • Use of personal devices for client work is subject to approval and the same security standards


4. Handling Client Data

Access on a need-to-know basis: Client data is accessible only to staff working on that client's project.

No local storage of sensitive data: Employees are expected not to store client data on local devices beyond what is temporarily required for a specific task. Where possible, data is accessed remotely rather than downloaded.

Data transfer: When client data must be transferred (e.g., for migration or testing purposes), it is handled over encrypted channels. Sensitive data is never transmitted via unencrypted email or personal file-sharing services.  The data is promptly deleted upon task completion.

Backups: Where Cudio retains copies of client data as part of service delivery, those copies are encrypted, stored securely, and deleted or returned to the client upon completion of the engagement or upon request.


5. Confidentiality and Staff Obligations

All Cudio employees and contractors sign confidentiality agreements prior to beginning work. Our team is trained on data handling responsibilities and understands that client information is to be treated as strictly confidential at all times, during and after an engagement.


6. Incident Response

In the event of a security incident that affects or may affect client data, Cudio commits to:

  • Investigating promptly to understand the nature and scope of the incident
  • Notifying affected clients without undue delay
  • Taking immediate steps to contain and remediate the issue
  • Cooperating fully with affected clients throughout the resolution process

We maintain an internal incident response procedure and conduct periodic reviews to ensure it remains effective.


7. Subcontractors and Third Parties

Where we engage subcontractors or third-party tools to deliver services, we apply the same standards described in this policy. Subcontractors with access to client data are required to agree to confidentiality obligations consistent with our own.


8. Policy Review

This policy is reviewed at least annually and updated to reflect changes in our practices, the threat landscape, or applicable law. It is also reviewed following any significant security incident, material change in our services, or change in applicable regulatory requirements.

When significant changes are made, the updated policy will be published on our website with a revised version number and effective date.


Contact

If you have questions about our security practices, or wish to report a security concern, please contact us at:

[email protected]

Cudio Inc.