We hold ourselves
to our own standard.
A security firm that is careless with its own data has no business assessing yours. This is how AxVeil protects your engagement — confidentiality and NDA terms, encryption, least-privilege access, evidence destruction — and how we keep our own surface honest with coordinated disclosure and a bug bounty.
Security posture at a glance
All engagement artefacts encrypted on disk.
HSTS-enforced, modern cipher suites only.
Then evidence is securely destroyed.
Acknowledgement on any reported flaw.
Your data is the most sensitive thing we touch.
When you hire AxVeil, you hand us a map of where you are weakest. That trust is the whole relationship. Four controls govern how we handle it — and every one is written into the engagement contract, not just this page.
Engagement confidentiality
Every engagement runs under a mutual NDA before a single packet is sent. Scope, findings, evidence, and the very fact of the engagement are treated as your confidential information. Operators work on isolated, full-disk-encrypted machines; client data never touches a personal device or an unmanaged cloud account.
- →Mutual NDA signed before scoping — bidirectional, no exceptions
- →Need-to-know access: only the named operator(s) on your engagement
- →No client data on personal devices, personal cloud, or shared drives
Data handling & encryption
Findings, screenshots, PoC scripts, and raw scanner output are encrypted at rest with AES-256 and in transit with TLS 1.2+. Report delivery is over an authenticated channel — never an unprotected email attachment. We collect the minimum data needed to prove impact and nothing more.
- →AES-256 at rest, TLS 1.2+ in transit, HSTS enforced
- →Minimal-collection principle — least intrusive proof of impact
- →Authenticated, access-controlled report delivery
Access control
Internal systems run on least-privilege, role-scoped access with multi-factor authentication on every account that touches client data. Credentials are vaulted, rotated, and never shared. Access to an engagement workspace is provisioned at kickoff and revoked the moment the retest closes.
- →MFA mandatory on all data-bearing accounts
- →Role-scoped, time-bound access provisioned per engagement
- →Vaulted, rotated secrets — no shared or long-lived credentials
Evidence retention & destruction
We retain engagement evidence for 90 days by default to support your remediation and the included retest, then securely destroy it. Longer retention for audit or compliance reasons is opt-in and written into the SOW. On request we provide a written certificate of destruction.
- →90-day default retention, then cryptographic erasure
- →Extended retention only by written agreement in the SOW
- →Certificate of destruction available on request
The answers your procurement team will ask for.
Bringing a testing vendor through security review? Here are the headline answers up front. Full subprocessor lists, data-flow diagrams, and our security questionnaire responses ship on request under NDA.
Legal basis
Mutual NDA + signed SOW
Confidentiality and authorised-testing terms are agreed in writing before any testing begins.
Data role
Processor, not controller
We process the data your engagement exposes solely to deliver the assessment, under DPDP Act 2023 processor obligations.
Data residency
Stated in the SOW
Where engagement artefacts are stored is documented per engagement; in-region storage available on request.
Subprocessors
Disclosed on request
The small set of vendors that touch engagement infrastructure is listed for due-diligence reviews.
AxVeil is an early-stage firm and does not yet hold its own SOC 2 or ISO 27001 attestation — we will not claim certifications we do not have. We assess against those frameworks for clients, and our internal controls are built to the same baselines. Our certification roadmap is shared on request.
Two open front doors for security researchers.
We publish a coordinated disclosure policy and run a bug bounty against our own production surface. If our public stance on testing is “trust, but verify,” then our own systems have to be open to exactly that.
Coordinated disclosure
Found a vulnerability in AxVeil-owned property? Our coordinated disclosure policy defines the timeline, the legal safe harbour, and exactly how to reach us.
Read the policy →Bug bounty
Reward bands, scope, and rules of engagement for researchers hunting our production surface. Hall-of-fame credit from day one.
See rewards & scope →Security & trust, answered.
Do you sign an NDA before an engagement?+
Always. A mutual NDA is signed before scoping begins — bidirectional, covering both your confidential information and ours. The scope, the findings, the evidence, and the existence of the engagement itself are all treated as your confidential information. If you have your own paper, we are happy to work from it.
Where is my engagement data stored, and for how long?+
Engagement artefacts are encrypted at rest with AES-256 on access-controlled infrastructure. The default retention is 90 days from report delivery — long enough to support remediation and the included retest — after which the data is securely destroyed. Data residency and any extended retention are documented in the SOW, and a certificate of destruction is available on request.
How do you deliver the report securely?+
Reports are delivered over an authenticated, access-controlled channel — never as an unprotected email attachment. We can deliver via your preferred secure file-transfer system, an encrypted archive with an out-of-band passphrase, or PGP. PoC scripts and raw evidence are shared under the same controls and the engagement NDA.
Are you a data controller or a data processor?+
A processor. We process whatever data your engagement happens to expose solely to deliver the assessment, on your instructions, under the confidentiality terms of the SOW and NDA — and under the processor obligations of the DPDP Act 2023 and equivalent regimes. We do not use your data for any other purpose.
How do I report a vulnerability in AxVeil's own systems?+
Email security@axveil.com or read the full coordinated disclosure policy at /disclosure. We acknowledge within 48 hours, triage within 5 business days, and operate a legal safe harbour for good-faith research. Qualifying findings are considered for a reward under the bug bounty programme.
Running us through security review?
We will complete your security questionnaire, share our subprocessor list, and sign your NDA before scoping. No data leaves our control without a contract behind it.