AEX — Trust Center

HCL BigFix AEX implements layered security controls to protect data, identities, and platform operations.

• Data encryption: TLS 1.2/1.3 for data in transit and AES-256 encryption for data at rest across all storage layers.
• Data protection: Strong access controls, encryption, and configurable retention protect customer and AI-related data.
• Identity & access management: SSO via SAML 2.0 with enterprise IdPs and role-based access controls enforce least-privilege access.
• Platform architecture & isolation: Secure-by-design architecture with network isolation, encrypted integrations, and authenticated APIs.
• Availability & disaster recovery: High availability design with redundancy, backups, and defined recovery processes.
• Logging & monitoring: Continuous logging and 24×7 monitoring of access, application, and AI activity.
• Secure development & testing: Security embedded across the SDLC with threat modeling, testing, and GenAI-specific safeguards.
• Incident response: Structured vulnerability management and incident response led by our PSIRT
• Edge & network protection (SaaS): Uses a web application firewall (WAF) and DDoS protection at the edge to protect the platform from common web threats and volumetric attacks.
• Session security: Interactive sessions are automatically terminated after 15 minutes of inactivity.
• API & service security: Platform APIs require authentication (for example, API keys and OAuth 2.0). Service-to-service communication uses secure channels and mutual TLS where applicable.
• Backups: Storage snapshots and component backups are maintained, including (e.g.) Cloudant weekly (30 days), VectorDB daily (35 days), Redis daily (30 days), and Postgres daily (30 days).
• Security monitoring: Security events are aggregated into a SIEM for 24×7 monitoring, supported by service heartbeat monitoring.
• Log Retention: Application logs are retained up to 30 days and access logs up to 1 year (subject to policy and deployment scope).
• GenAI Threat Testing: Includes testing aligned to OWASP guidance for LLM application risks (for example, prompt injection and data leakage).

HCL BigFix AEX aligns with recognized compliance standards and maintains governance through continuous assessment and validation.

• Global standards alignment: Aligns with internationally recognized security and compliance standards, including ISO/IEC 27001, SOC 2 Type II, and CERT-In.
• Independent audits & attestations: Undergoes regular internal and external audits, security assessments, and compliance reviews to validate control effectiveness.
• Certification scope & renewal: Certifications/attestations apply to the SaaS deployment scope as defined in audit reports. On-prem deployments are governed by customer-controlled environments and shared responsibility.
• Regulatory & regional compliance: Supports regulatory and regional compliance requirements through aligned controls, secure development practices, and flexible deployment options (SaaS and On-premise).
• Continuous governance & control mapping: Operates under a formal governance and risk management framework with continuous monitoring, assessment, and control alignment.

HCL BigFix AEX governs personal data through defined roles, minimization, and transparent data handling practices.

• Privacy by design & default: Privacy principles are embedded into platform design, development, and operations to protect personal data by default.
• Data roles & responsibilities: Customers act as data controllers, retaining ownership and control of their data. We process data only as required to deliver the service.
• Data minimization & purpose limitation: Only the data necessary for defined operational purposes is processed. Controls are in place to limit collection, storage, and AI usage of personal data.
• Data residency & retention: Data is retained per defined retention policies. By default, data is archived after 1 year, retained in the archive for 3 months, and purged after 15 months (unless customer policy requires otherwise). Secure deletion mechanisms are applied when data is removed.
• Data subject rights & transparency: HCL BigFix AEX supports transparency and data subject rights, including access, correction, deletion, and clear visibility into data usage and access controls.
• PII protection & redaction: Provides configurable end-user disclaimers and supports regex-based redaction and client-side redaction controls to minimize exposure of personal data in AI inputs and outputs.

HCL BigFix AEX applies responsible AI principles to ensure secure, transparent, and human-governed AI usage.

• AI usage overview: HCL BigFix AEX uses AI to support secure automation, decision assistance, and workflow orchestration, with controls to govern how AI-driven actions are executed.
• Ethical principles & governance: AI capabilities are governed through defined ethical principles, risk management practices, and enterprise security controls.
• Human oversight & accountability: Human-in-the-loop controls ensure oversight for critical or high-impact actions, maintaining accountability for AI-assisted decisions.
• Data handling & privacy in AI: AI processing follows strict data protection practices, including encryption, access controls, and configurable data retention.
• Model quality & security validation: AI capabilities and integrations are tested for reliability and security, including safeguards against common GenAI risks such as prompt injection and unsafe output.
• Transparency & explainability: AI interactions and outputs are logged and auditable, providing transparency into how AI responses and actions are generated.