Legal

Security Policy

Last Updated: June 2026  ·  Security Disclosures: security@vaixus.tech  ·  Canonical Contact: /.well-known/security.txt

1. Introduction

This Security Policy describes the security principles, disclosure procedures, and operational practices followed by Vaixus Technologies ("Vaixus", "we", "our", or "us"), an email infrastructure consulting practice operating from Tiruppur, Tamil Nadu, India.

This Policy applies to:

  • HTTPS and TLS protections
  • security headers
  • least-privilege access principles
  • restricted administrative access
  • credential handling procedures
  • secure deletion procedures
  • logging and monitoring controls where reasonably appropriate
  • industry-standard, secure analytics to monitor traffic anomalies and ensure platform stability without compromising client confidentiality

This Policy should be read together with our:

2. Security Principles

Vaixus operates according to the following principles:

Zero Email Content Access

We do not intentionally access, read, store, or review client email message content as part of our standard consulting services.

Minimum Privilege

Where access is required, we request only the minimum permissions reasonably necessary to perform the agreed engagement.

Data Minimisation

We seek to collect and retain only information reasonably necessary to provide consulting services and fulfil legal obligations.

Human Review

Assessment findings and deliverables are subject to consultant review before delivery.

Coordinated Disclosure

We support responsible vulnerability disclosure and aim to acknowledge valid reports within seventy-two (72) hours.

3. Infrastructure Information We May Access

During consulting engagements, Vaixus may access information including:

  • publicly observable DNS records
  • SPF records
  • DKIM configurations
  • DMARC policies
  • MX records
  • authentication reports
  • sending IP ranges
  • email service provider configuration settings
  • postmaster reputation information
  • monitoring information necessary to perform contracted services

Where implementation assistance is agreed, we may request:

  • delegated DNS management permissions
  • temporary administrator access
  • configuration access required to perform the engagement

Clients retain ownership and control of all infrastructure and access permissions.

4. Information We Do Not Intentionally Access

Except where voluntarily provided by the Client for troubleshooting purposes, Vaixus does not intentionally:

  • read email bodies
  • access email attachments
  • access inboxes or sent folders
  • inspect employee communications
  • access customer lists
  • access marketing databases
  • access CRM records unrelated to domain configuration
  • access campaign content
  • process recipient information beyond technical metadata reasonably necessary for the engagement

We do not request domain ownership transfer, billing access, or unnecessary system permissions.

5. Website and Infrastructure Security

Vaixus seeks to implement reasonable technical safeguards appropriate to the nature of our services.

Depending upon operational requirements, safeguards may include:

  • HTTPS and TLS protections
  • security headers
  • least-privilege access principles
  • restricted administrative access
  • credential handling procedures
  • secure deletion procedures
  • logging and monitoring controls where reasonably appropriate

No security measure can guarantee absolute protection against all threats.

Accordingly, Vaixus does not warrant that any system, website, service, or communication channel is completely secure.

6. Security Headers Disclosure

Vaixus may implement reasonable browser security protections, including where operationally appropriate:

  • Content Security Policy (CSP)
  • HTTP Strict Transport Security (HSTS)
  • X-Content-Type-Options
  • X-Frame-Options
  • Referrer-Policy
  • Permissions-Policy

Security configurations may evolve over time and are not guaranteed to remain static.

7. Credential Handling

Where credentials or access permissions are provided by Clients:

  • access is used solely for the contracted engagement
  • access is limited to personnel reasonably necessary to perform the engagement
  • credentials are not intentionally retained beyond operational, legal, or support requirements
  • clients remain responsible for approving, managing, and revoking access permissions

Where reasonably practicable, Vaixus recommends that Clients revoke temporary access following engagement completion.

8. Responsible Disclosure Policy

We welcome good-faith security research.

If you believe you have identified a security vulnerability affecting Vaixus infrastructure, please report it privately before public disclosure.

Reports should be submitted to: security@vaixus.tech

Please include:

  • description of the issue
  • affected URL, system, or component
  • steps to reproduce
  • potential impact
  • your contact information if acknowledgement is desired

We request that researchers avoid accessing, modifying, deleting, or retaining client information and avoid activities that may disrupt service availability.

9. Our Commitments to Security Researchers

For reports made in good faith and within the scope of this Policy, Vaixus aims to:

  • acknowledge valid reports within seventy-two (72) hours
  • investigate reported issues
  • communicate remediation progress where reasonably appropriate
  • credit researchers by name or handle where permission is granted
  • support coordinated disclosure practices

Vaixus does not intend to pursue legal action against researchers who:

  • act in good faith
  • avoid privacy violations
  • avoid service disruption
  • avoid data destruction
  • avoid accessing client information
  • provide a reasonable opportunity for remediation before public disclosure

10. Out of Scope Activities

The following activities are outside the scope of this Policy:

  • social engineering
  • phishing
  • physical attacks
  • denial-of-service attacks
  • attacks against client infrastructure
  • automated scanning without manual verification
  • spam submissions
  • attacks against third-party providers
  • attempts to access personal or confidential information

11. Security Incident Communications

Security-related enquiries may be directed to:

For confirmed security incidents affecting client information, Vaixus will communicate with affected parties as required by applicable law and as reasonably practicable under the circumstances.

12. Security Documentation and Procurement Requests

Clients requiring:

  • security questionnaires
  • vendor security reviews
  • procurement documentation
  • security attestations
  • responsible disclosure information

may contact: security@vaixus.tech

13. Policy Updates

Vaixus may update this Security Policy from time to time.

Material changes affecting active engagements may be communicated using the contact information associated with the engagement.

The latest version is always published on our website.

14. Contact

Vaixus Technologies

Tiruppur, Tamil Nadu, India


General Enquiries: soorya@vaixus.tech

Security Disclosures: security@vaixus.tech

Legal Notices: legal@vaixus.tech

Support: support@vaixus.tech

Canonical Security Contact: /.well-known/security.txt