The standard we sell is the standard we run.

Saint Fox audits other companies for a living, so our own posture belongs in public. This page is the record: what we hold today, what is underway, and how to report a vulnerability to us.

Posture register

Where we stand today

ISO 27001Information security management

Our ISMS is scoped and certification is underway with an accredited body. The certificate will be published on this page the day it is issued.

In progress
CERT-InSecurity audit empanelment

Saint Fox is empanelled with the Indian Computer Emergency Response Team (CERT-In) for information security auditing.

Empanelled
security.txtVulnerability disclosure

A machine readable disclosure channel is published at /.well-known/security.txt, following RFC 9116.

Published

Register last updated June 11, 2026. Ask for evidence on any line: contact@stfox.com

Practice

How we secure our own house

The same controls we recommend to clients, applied to ourselves. Short statements, each one checkable.

Access

Least privilege by default. MFA on every account, hardware keys for privileged access, and quarterly access reviews.

Data

Client data is segregated per engagement, encrypted in transit and at rest, and removed on a defined schedule when work ends.

Engineering

Changes ship through review and CI checks. Secrets live in a vault, never in code.

Vendors

Subprocessors are reviewed before use and listed for clients on request.

Incidents

A named on-call owner, a written runbook, and notification commitments in every engagement agreement.

People

Security training at onboarding and annually. Offboarding revokes access the same day.

Responsible disclosure

Found something? Tell us.

Report it

Email contact@stfox.com with steps to reproduce, affected URLs, and any proof of concept. Encrypted mail is welcome.

We acknowledge

You hear back within 3 business days with a triage decision and a named owner.

We fix and credit

We share a remediation timeline, confirm the fix, and credit you publicly if you want the mention.

Good faith research is welcome

If you follow this policy we will not pursue legal action over your testing. We ask that you avoid accessing client data, degrading service, or publishing an issue before we confirm a fix.

/.well-known/security.txtRFC 9116
Contact: mailto:contact@stfox.com
Expires: 2027-06-30T00:00:00.000Z
Preferred-Languages: en
Canonical: https://stfox.com/.well-known/security.txt
Policy: https://stfox.com/trust/
FAQ

Common questions about our posture

Certification is in progress. The ISMS is scoped and the work is underway with an accredited body, and the certificate will be published on this page the day it is issued. Saint Fox is already empanelled with CERT-In for security auditing.

Email contact@stfox.com with steps to reproduce. We acknowledge reports within 3 business days, and our machine readable policy lives at /.well-known/security.txt. Good faith research is welcome.

Client data is segregated per engagement, encrypted in transit and at rest, and removed on a defined schedule when work ends. Subprocessors are reviewed before use and listed for clients on request.

Yes. Send it to contact@stfox.com. For most questionnaires we return evidence-backed answers drawn from the same register published on this page.

Questions about our posture?

Ask the people who run it. A Principal Engineer answers, with evidence.