This policy applies across Cizonet's central app ecosystem. It describes our security approach and the rules for reporting vulnerabilities safely.
1. Overview
Cizonet builds and operates business software, HR platforms, school systems, sales tools, AI-assisted products, websites, and professional services. Security is a shared responsibility between Cizonet, customers, administrators, users, vendors, and integration partners.
2. Security Practices
Depending on the product and customer configuration, our safeguards may include:
- Encryption in transit for supported Services.
- Role-based access controls and least-privilege permissions.
- Authentication, anti-abuse controls, and automated spam or bot protection.
- Monitoring, logging, backup processes, and incident response procedures.
- Credential, secret, and environment variable management for production systems.
- Vendor and subprocessor review for services that process customer data.
- Secure development practices, code review, dependency review, and vulnerability remediation based on risk.
- Confidentiality obligations for personnel and contractors who access sensitive systems or data.
Security controls differ by product, plan, deployment model, customer contract, and technical maturity. No system can be guaranteed to be completely secure.
3. Customer Responsibilities
Customers and users are responsible for:
- Using strong passwords and protecting credentials, devices, and email accounts.
- Enabling multi-factor authentication where available.
- Granting access only to authorized users and removing access promptly when roles change.
- Configuring roles, permissions, integrations, sharing, retention, and exports appropriately.
- Backing up exported data where the customer is responsible for its own records.
- Reporting suspected compromise, unauthorized access, and security issues promptly.
4. Responsible Disclosure
If you believe you have found a security vulnerability in a Cizonet system, email contact@cizonet.com with the subject line "Security Disclosure". Include the affected URL, product, steps to reproduce, potential impact, screenshots or proof-of-concept details, and your contact information.
This is not a bug bounty program. Cizonet does not promise payment, reward, public recognition, employment, or engagement for reports unless agreed in writing.
5. Testing Rules
Security researchers and users must not:
- Access, modify, delete, copy, export, retain, disclose, or exfiltrate data that is not their own.
- Run denial-of-service, stress, spam, phishing, social engineering, physical attack, destructive, or persistence tests.
- Bypass payment, account limits, authentication, rate limits, or product restrictions except to the minimum extent needed to demonstrate a vulnerability in your own account.
- Install malware, backdoors, miners, or tools that impair services or data.
- Publicly disclose a vulnerability before Cizonet has had a reasonable opportunity to investigate and remediate it.
If you follow this policy in good faith, avoid privacy harm, and stop testing once you identify a vulnerability, Cizonet will consider that cooperation when evaluating the report. This policy does not authorize unlawful conduct or testing against third-party systems.
6. Incident Response
If we confirm a security incident affecting personal data or customer systems, we will take reasonable steps to contain, investigate, remediate, and notify affected customers or authorities where required by law or contract.
7. Contact
Security reports: contact@cizonet.com
Emergency account concerns: +234 901 007 2510