Operations · security posture
How we run secure engagements.
The controls we apply to ourselves — and to client work. Aligned to ISO 27001 + SOC 2 Type II. We're not formally certified yet; the gap is documented below.
Posture
Aligned
ISO 27001 · SOC 2 Type II framework
Certification
Pending
Audit window Q4 · 2026
Disclosure
90 days
CVD policy · security@tracefox.dev
Controls
| AC.01 | Access control | SSO required for all internal services. Hardware keys for production. Quarterly access review. |
| AC.02 | Client engagement access | Time-bound, audit-logged, scoped to the contracted environment. Revoked on engagement close. |
| DA.01 | Data at rest | Internal data encrypted with provider-managed KMS. Client telemetry never leaves the client's tenancy. |
| DA.02 | Data in transit | TLS 1.3 minimum. mTLS where the client requires it. |
| BC.01 | Backup & recovery | Internal data backed up daily, restore-tested monthly. Engagement artefacts archived to client per contract. |
| VM.01 | Vulnerability management | Dependency scanning on every push. Critical CVEs patched within 7 days, high within 30. |
| IR.01 | Incident response | Defined IR plan, tested twice a year. Client notification SLA: 24 hours for confirmed incidents. |
| VD.01 | Vendor diligence | Subprocessor list reviewed quarterly. Contracts require equivalent or stronger controls. |
Coordinated disclosure
If you've found a vulnerability in this site or in any code we've published, email security@tracefox.dev. We'll respond within 1 business day, fix within 90 days, and credit you publicly unless you ask us not to.
We do not run a paid bounty programme. We do, however, send a small physical token of thanks for valid reports.