Security Policy
Last Updated: June 2026 · Security Disclosures: security@vaixus.tech · Canonical Contact: /.well-known/security.txt
1. Introduction
This Security Policy describes the security principles, disclosure procedures, and operational practices followed by Vaixus Technologies ("Vaixus", "we", "our", or "us"), an email infrastructure consulting practice operating from Tiruppur, Tamil Nadu, India.
This Policy applies to:
- HTTPS and TLS protections
- security headers
- least-privilege access principles
- restricted administrative access
- credential handling procedures
- secure deletion procedures
- logging and monitoring controls where reasonably appropriate
- industry-standard, secure analytics to monitor traffic anomalies and ensure platform stability without compromising client confidentiality
This Policy should be read together with our:
2. Security Principles
Vaixus operates according to the following principles:
We do not intentionally access, read, store, or review client email message content as part of our standard consulting services.
Where access is required, we request only the minimum permissions reasonably necessary to perform the agreed engagement.
We seek to collect and retain only information reasonably necessary to provide consulting services and fulfil legal obligations.
Assessment findings and deliverables are subject to consultant review before delivery.
We support responsible vulnerability disclosure and aim to acknowledge valid reports within seventy-two (72) hours.
3. Infrastructure Information We May Access
During consulting engagements, Vaixus may access information including:
- publicly observable DNS records
- SPF records
- DKIM configurations
- DMARC policies
- MX records
- authentication reports
- sending IP ranges
- email service provider configuration settings
- postmaster reputation information
- monitoring information necessary to perform contracted services
Where implementation assistance is agreed, we may request:
- delegated DNS management permissions
- temporary administrator access
- configuration access required to perform the engagement
Clients retain ownership and control of all infrastructure and access permissions.
4. Information We Do Not Intentionally Access
Except where voluntarily provided by the Client for troubleshooting purposes, Vaixus does not intentionally:
- read email bodies
- access email attachments
- access inboxes or sent folders
- inspect employee communications
- access customer lists
- access marketing databases
- access CRM records unrelated to domain configuration
- access campaign content
- process recipient information beyond technical metadata reasonably necessary for the engagement
We do not request domain ownership transfer, billing access, or unnecessary system permissions.
5. Website and Infrastructure Security
Vaixus seeks to implement reasonable technical safeguards appropriate to the nature of our services.
Depending upon operational requirements, safeguards may include:
- HTTPS and TLS protections
- security headers
- least-privilege access principles
- restricted administrative access
- credential handling procedures
- secure deletion procedures
- logging and monitoring controls where reasonably appropriate
No security measure can guarantee absolute protection against all threats.
Accordingly, Vaixus does not warrant that any system, website, service, or communication channel is completely secure.
6. Security Headers Disclosure
Vaixus may implement reasonable browser security protections, including where operationally appropriate:
- Content Security Policy (CSP)
- HTTP Strict Transport Security (HSTS)
- X-Content-Type-Options
- X-Frame-Options
- Referrer-Policy
- Permissions-Policy
Security configurations may evolve over time and are not guaranteed to remain static.
7. Credential Handling
Where credentials or access permissions are provided by Clients:
- access is used solely for the contracted engagement
- access is limited to personnel reasonably necessary to perform the engagement
- credentials are not intentionally retained beyond operational, legal, or support requirements
- clients remain responsible for approving, managing, and revoking access permissions
Where reasonably practicable, Vaixus recommends that Clients revoke temporary access following engagement completion.
8. Responsible Disclosure Policy
We welcome good-faith security research.
If you believe you have identified a security vulnerability affecting Vaixus infrastructure, please report it privately before public disclosure.
Reports should be submitted to: security@vaixus.tech
Please include:
- description of the issue
- affected URL, system, or component
- steps to reproduce
- potential impact
- your contact information if acknowledgement is desired
We request that researchers avoid accessing, modifying, deleting, or retaining client information and avoid activities that may disrupt service availability.
9. Our Commitments to Security Researchers
For reports made in good faith and within the scope of this Policy, Vaixus aims to:
- acknowledge valid reports within seventy-two (72) hours
- investigate reported issues
- communicate remediation progress where reasonably appropriate
- credit researchers by name or handle where permission is granted
- support coordinated disclosure practices
Vaixus does not intend to pursue legal action against researchers who:
- act in good faith
- avoid privacy violations
- avoid service disruption
- avoid data destruction
- avoid accessing client information
- provide a reasonable opportunity for remediation before public disclosure
10. Out of Scope Activities
The following activities are outside the scope of this Policy:
- social engineering
- phishing
- physical attacks
- denial-of-service attacks
- attacks against client infrastructure
- automated scanning without manual verification
- spam submissions
- attacks against third-party providers
- attempts to access personal or confidential information
11. Security Incident Communications
Security-related enquiries may be directed to:
- Security Disclosures: security@vaixus.tech
- Legal Notices: legal@vaixus.tech
- General Support: support@vaixus.tech
For confirmed security incidents affecting client information, Vaixus will communicate with affected parties as required by applicable law and as reasonably practicable under the circumstances.
12. Security Documentation and Procurement Requests
Clients requiring:
- security questionnaires
- vendor security reviews
- procurement documentation
- security attestations
- responsible disclosure information
may contact: security@vaixus.tech
13. Policy Updates
Vaixus may update this Security Policy from time to time.
Material changes affecting active engagements may be communicated using the contact information associated with the engagement.
The latest version is always published on our website.
14. Contact
Vaixus Technologies
Tiruppur, Tamil Nadu, India
General Enquiries: soorya@vaixus.tech
Security Disclosures: security@vaixus.tech
Legal Notices: legal@vaixus.tech
Support: support@vaixus.tech
Canonical Security Contact: /.well-known/security.txt