# AffixIO security contact (RFC 9116) # Organisation: AffixIO # Last-Updated: 2026-06-02 # Publication: https://www.affix-io.com/.well-known/security.txt Contact: https://www.affix-io.com/contact Expires: 2027-06-02T23:59:59.000Z Preferred-Languages: en Canonical: https://www.affix-io.com/.well-known/security.txt Policy: https://www.affix-io.com/security Acknowledgments: https://www.affix-io.com/security#disclosure Hiring: https://www.affix-io.com/contact # ----------------------------------------------------------------------------- # Purpose # ----------------------------------------------------------------------------- # This file is for good-faith security research and coordinated vulnerability # disclosure affecting AffixIO-operated properties and production APIs. # AffixIO provides stateless yes/no eligibility verification with optional # cryptographically signed proofs. Reports should focus on confidentiality, # integrity, or availability risks to those services or customer data paths. # ----------------------------------------------------------------------------- # How to report # ----------------------------------------------------------------------------- # Submit findings through the Contact page above. # Use the subject line: Security disclosure # Include, where possible: # - affected URL or API route # - reproduction steps # - impact assessment (confidentiality, integrity, availability) # - proof-of-concept or supporting logs (redact third-party personal data) # - your contact details for follow-up # AffixIO typically responds to contact requests within one business day. # Allow reasonable time for triage and remediation before public disclosure. # ----------------------------------------------------------------------------- # In-scope systems (AffixIO-operated) # ----------------------------------------------------------------------------- # - https://www.affix-io.com/ and subdomains operated by AffixIO # - https://affix-io.com/ (canonical web property) # - https://api.affix-io.com/ (production API) # - Public verification, proof, and key-check endpoints documented for customers # - Web demo and documentation surfaces published by AffixIO # ----------------------------------------------------------------------------- # Out of scope # ----------------------------------------------------------------------------- # - Social engineering against AffixIO personnel or customers # - Physical security or third-party facilities not operated by AffixIO # - Denial-of-service or load tests without prior written agreement # - Issues in customer-owned applications, identity providers, or upstream data # sources connected by customers outside AffixIO control # - Missing security headers or best-practice findings with no demonstrable # impact on AffixIO confidentiality, integrity, or availability # - Reports requiring compromised customer API keys or credentials supplied # by the reporter (use your own test tenants only) # ----------------------------------------------------------------------------- # Safe harbour (responsible disclosure) # ----------------------------------------------------------------------------- # AffixIO welcomes reports from security researchers acting in good faith. # Do not access, modify, or exfiltrate customer data. # Do not disrupt production services or degrade availability for other users. # Do not publicly disclose vulnerabilities before AffixIO has had reasonable # time to investigate and remediate. # AffixIO does not pursue legal action against researchers who follow these # guidelines and the published Security policy. Recognition of valid reports # may be offered at AffixIO discretion. # ----------------------------------------------------------------------------- # Related public documentation # ----------------------------------------------------------------------------- # Security and Trust: https://www.affix-io.com/security # Security Trust Center: https://www.affix-io.com/trust # Privacy Policy: https://www.affix-io.com/privacy # Acceptable Use Policy: https://www.affix-io.com/acceptable-use # Terms of Service: https://www.affix-io.com/terms # Cookie Policy: https://www.affix-io.com/cookies # ----------------------------------------------------------------------------- # Security programme summary (public) # ----------------------------------------------------------------------------- # - TLS 1.2 or higher on public API and dashboard endpoints # - Encryption at rest for operational stores and backups in production # - Scoped API credentials with least privilege; MFA for administrative access # - Stateless verifier boundary: no PII retained at the verifier by default # - Signed proofs using asymmetric cryptography with key rotation procedures # - Incident response covering detection, containment, recovery, and notification # - Personal-data incidents reported to enterprise customers without undue delay, # typically within 72 hours of confirmation where GDPR applies (per Security page) # ----------------------------------------------------------------------------- # Customer and enterprise enquiries # ----------------------------------------------------------------------------- # Procurement, security questionnaires, penetration-test summaries, and DPA # artefacts for enterprise customers are handled through the Contact page from # a corporate domain with organisation name and intended use case.