The standard we sell is the standard we run.
Saint Fox audits other companies for a living, so our own posture belongs in public. This page is the record: what we hold today, what is underway, and how to report a vulnerability to us.
Where we stand today
Our ISMS is scoped and certification is underway with an accredited body. The certificate will be published on this page the day it is issued.
In progressSaint Fox is empanelled with the Indian Computer Emergency Response Team (CERT-In) for information security auditing.
EmpanelledA machine readable disclosure channel is published at /.well-known/security.txt, following RFC 9116.
PublishedRegister last updated June 11, 2026. Ask for evidence on any line: contact@stfox.com
How we secure our own house
The same controls we recommend to clients, applied to ourselves. Short statements, each one checkable.
Access
Least privilege by default. MFA on every account, hardware keys for privileged access, and quarterly access reviews.
Data
Client data is segregated per engagement, encrypted in transit and at rest, and removed on a defined schedule when work ends.
Engineering
Changes ship through review and CI checks. Secrets live in a vault, never in code.
Vendors
Subprocessors are reviewed before use and listed for clients on request.
Incidents
A named on-call owner, a written runbook, and notification commitments in every engagement agreement.
People
Security training at onboarding and annually. Offboarding revokes access the same day.
Found something? Tell us.
Report it
Email contact@stfox.com with steps to reproduce, affected URLs, and any proof of concept. Encrypted mail is welcome.
We acknowledge
You hear back within 3 business days with a triage decision and a named owner.
We fix and credit
We share a remediation timeline, confirm the fix, and credit you publicly if you want the mention.
Good faith research is welcome
If you follow this policy we will not pursue legal action over your testing. We ask that you avoid accessing client data, degrading service, or publishing an issue before we confirm a fix.
Contact: mailto:contact@stfox.com Expires: 2027-06-30T00:00:00.000Z Preferred-Languages: en Canonical: https://stfox.com/.well-known/security.txt Policy: https://stfox.com/trust/
Common questions about our posture
Certification is in progress. The ISMS is scoped and the work is underway with an accredited body, and the certificate will be published on this page the day it is issued. Saint Fox is already empanelled with CERT-In for security auditing.
Email contact@stfox.com with steps to reproduce. We acknowledge reports within 3 business days, and our machine readable policy lives at /.well-known/security.txt. Good faith research is welcome.
Client data is segregated per engagement, encrypted in transit and at rest, and removed on a defined schedule when work ends. Subprocessors are reviewed before use and listed for clients on request.
Yes. Send it to contact@stfox.com. For most questionnaires we return evidence-backed answers drawn from the same register published on this page.
Questions about our posture?
Ask the people who run it. A Principal Engineer answers, with evidence.