“Because one copy is never enough. Control-C safeguards your Xero and QuickBooks ledgers, Cin7 inventory, and XPM workflows, captured, searchable, and recoverable when the cloud isn’t.”

Security, Privacy & Trust

Built for the moments when everything else needs to hold.

If you trust us with your data, we protect it as though we run your business ourselves.

View Trust Center Contact security

Security, Privacy & Trust

Built for the moments when everything else needs to hold.

Control-C exists to protect the data your business relies on.
Security, privacy, and operational resilience are not features of our platform; they are the foundation of it.

Every backup, every snapshot, every restore workflow, and every advisory touchpoint is designed with one principle:

If you trust us with your data, we protect it as though we run your business ourselves.

SMB1001 Cyber Security Framework

Certified Silver maturity: aligned to global standards.

Control-C operates under the SMB1001 Cyber Security Framework and currently maintains Silver maturity.

SMB1001 is designed specifically for small and mid-size organizations that need security controls with real-world practicality. It maps directly to:

  • ACSC Essential Eight
  • UK Cyber Essentials
  • CMMC
  • ISO 27001
  • Right Fit for Risk

What Silver means

Silver maturity reflects consistent execution of core security policies and controls across our engineering, infrastructure, and business operations.

SMB1001 Tiers (for context)

  • Bronze: Foundational protections (firewalls, backups, patching, antivirus, training)
  • Silver: Formalized policies with consistent enforcement across the business (Control-C’s current level)
  • Gold: Enhanced monitoring, proactive incident response, and stronger access controls
  • Platinum: Independent audit validation
  • Diamond: Highest assurance, advanced threat resilience

Our goal is simple:
build resilience that scales with the organizations we protect.

Defense in Depth

Multiple layers of protection: people, process, and technology.

Security at Control-C is never one control, one tool, or one team. We build overlapping layers that work together.

Governance & Oversight

  • Executive-led security council
  • Annual risk assessments
  • Regular policy reviews aligned to SMB1001
  • Clear accountability pathways from engineering to leadership

Training & Human Security

  • Company-wide security awareness
  • Role-based secure engineering training
  • Recurring phishing simulations and testing
  • Secure-by-default practices embedded into onboarding

Access Management

  • SSO everywhere
  • Mandatory MFA
  • Device compliance enforcement
  • Quarterly access reviews for all production and internal systems
  • Least-privilege access by design

Secure Development Lifecycle

Security built into every stage of engineering.

Design

  • Threat modeling for new features
  • Privacy impact assessments
  • Architectural review gates

Build

  • Automated dependency scanning
  • Static and dynamic code analysis
  • Infrastructure-as-code validation

Release

  • Mandatory peer review
  • Segregation of duties
  • Staged deployments with automatic rollback
  • Continuous integration with security gates

Outcome:
Features only ship when they meet our standards for security, privacy, and resilience.

Infrastructure & Operations

Secure by default. Resilient under pressure.

Hosting & Network Security

  • Production hosted on AWS
  • Network segmentation and least-exposure architecture
  • Web Application Firewall (WAF)
  • DDoS mitigation and rate-limiting

Observability & Monitoring

  • Real-time logging and anomaly detection
  • Automated alerts to our Security Operations function
  • Proactive monitoring for risky or unusual activity

Backup Integrity

  • Data encrypted in transit and at rest
  • Multi-region replication for durability
  • Quarterly restore tests to validate integrity and recoverability

Vulnerability Management

Find issues early. Fix them fast.

  • Weekly scanning of containers, hosts, and dependencies
  • Automated patch pipelines
  • Remediation targets:
    • Critical: 7 days
    • High: 14 days
    • Medium: 30 days
  • Annual third-party penetration tests
  • Additional ad-hoc tests for major product changes

Our commitment:
Risks are identified quickly, triaged responsibly, and resolved within strict SLAs.

Incident Response

Clear playbooks. Dedicated responders. Honest communication.

Control-C maintains a structured IR program covering:

  • Security events
  • Privacy incidents
  • Continuity events
  • Vendor outages
  • Disaster recovery scenarios

During an active incident

  • Dedicated responders are on call 24/7
  • We communicate via our Trust Center and status page
  • Customers are informed early and kept updated
  • Containment, investigation, and recovery are run according to formal playbooks

After an incident

  • Post-incident reviews
  • Documented learnings
  • Improvements to controls, automation, and prevention

We treat every incident as an opportunity to strengthen the entire platform.

Reporting & Contact

If you have a concern, you can reach us directly.

Security Issues:
[email protected]
(PGP key available in the Trust Center)

Privacy Questions:
[email protected]

Urgent Escalations:
Trust Hotline: +1 (800) 555-9824

Last Updated: March 20, 2025

Control-C: Backup that remembers everything.

Xero Certified App badge
Xero Certified App
Built to Xero’s technical and security standards.
30-day guarantee badge
100% Money-Back Guarantee
If you’re not completely satisfied within the first 30 days of starting a paid subscription, we’ll refund you — no questions asked.