Incidents & Vulnerability Disclosure Policy
Incidents & Vulnerability Disclosure Policy
CRP-POL-CWC-010-R1: Incidents & Vulnerability Disclosure Policy
Effective Date: 10 May 2026
© 2026 Enxèro Systems. All rights reserved.
Printed copies are uncontrolled. Refer to the online version for the current revision.
1. Introduction
This Incident & Vulnerability Disclosure Policy explains how security incidents and potential vulnerabilities relating to the Enxèro Systems platform and related services (“Services”) may be reported and handled.
We encourage responsible and lawful reporting of security concerns that may affect the confidentiality, integrity, or availability of the Services.
This Policy should be read together with our:
Terms of Service
Privacy Policy
Data Processing Agreement (DPA)
Security Overview
2. Who We Are
Enxero System Ltd
P.O. Box 1036-00606
Nairobi, Kenya
(“Company”, “we”, “us”, or “our”)
3. Scope
This Policy applies to:
security vulnerabilities affecting the Services
suspected unauthorized access to systems operated by Enxèro Systems
incidents potentially affecting Customer Data processed through the Services
This Policy does not apply to:
Customer-managed environments
third-party systems outside our operational control
services independently selected or managed by Customers
Customers remain responsible for securing their own systems, networks, devices, and credentials.
4. Reporting Security Concerns
Security concerns may be reported through the designated security contact channel identified in this Policy.
Reports should include, where reasonably possible:
description of the issue
affected systems or features
steps to reproduce the issue
potential impact
supporting evidence where available
We encourage reports to be made promptly and in good faith.
5. Responsible Disclosure Expectations
Individuals reporting vulnerabilities are expected to:
act lawfully and responsibly
avoid disruption of Services
avoid unauthorized access to data
avoid disclosure of vulnerabilities to third parties before remediation
avoid actions that may harm Customers, users, or systems
This Policy does not authorize:
unauthorized access
destructive testing
denial-of-service activity
social engineering
malware deployment
physical intrusion attempts
Activities violating applicable law or the Terms of Service remain prohibited.
6. Incident Assessment and Response
Reported incidents or vulnerabilities may be:
reviewed
assessed for impact and severity
prioritized according to operational risk
investigated and remediated where appropriate
Response actions may include:
containment measures
service restrictions
infrastructure changes
credential resets
security notifications
We do not guarantee remediation timelines for all reported issues.
7. Customer Notifications
Where required by applicable law or contractual obligations, affected Customers may be notified of security incidents involving Customer Data.
Notifications may include:
general nature of the incident
categories of affected information where known
mitigation measures undertaken
recommended Customer actions where applicable
Notification timing may vary depending on:
severity
verification requirements
operational containment efforts
legal considerations
8. Confidentiality and Handling of Reports
Information relating to reported vulnerabilities or incidents may be treated as confidential.
We may limit disclosure of technical details where necessary to:
protect system security
prevent misuse
comply with legal obligations
support remediation efforts
9. No Guarantee or Reward Program
Submission of a vulnerability report does not create:
contractual rights
compensation rights
authorization for testing activities
Unless expressly stated otherwise, Enxèro Systems does not operate a public bug bounty or reward program.
10. Service Availability and Security Actions
We may take reasonable operational or security measures necessary to:
investigate incidents
protect systems
preserve evidence
prevent unauthorized activity
maintain service integrity
Such measures may temporarily affect access to portions of the Services.
11. Retention of Security Records
Security-related records, logs, and incident information may be retained in accordance with:
operational requirements
legal obligations
dispute resolution requirements
the Data Retention Policy
12. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes will be communicated through:
email notification
publication in the Governance Hub
notification on the Service page
Updated versions become effective on the stated effective date.
13. Contact Information
For legal or governance inquiries:
Enxero System Ltd
P.O. Box 1036-00606
Nairobi, Kenya
[email protected]
CRP-POL-CWC-010-R1: Incidents & Vulnerability Disclosure Policy
Effective Date: 10 May 2026
© 2026 Enxèro Systems. All rights reserved.