Security Policy

DemoniX Labs takes security seriously across everything we build and operate. This Security Policy describes our internal security practices, the responsibilities we accept when handling client systems and data, our responsible disclosure process, and the limitations of our security-related services.

Security is embedded into every phase of our work — from architecture and code review to deployment and handoff — not applied as an afterthought.

This policy covers:

• DemoniX Labs's own infrastructure and website (demonixlabs.com)
• Our internal development, communication, and project management systems
• Our practices when handling client data, codebases, and credentials during service engagements
• Responsible vulnerability disclosure for our own systems

This policy does not cover the security posture of systems we have built for clients after the engagement has concluded and ownership has been transferred. Clients are responsible for maintaining the security of systems under their control. We offer ongoing security retainers and review services for clients who require continued coverage.

Access Control

Access to client systems, repositories, credentials, and data is granted on a strict need-to-know, least-privilege basis. Access is revoked immediately upon project completion or team member offboarding. We use multi-factor authentication (MFA) on all accounts with access to client environments.

Credential and Secret Management

We never store credentials, API keys, or secrets in version control systems. We use dedicated secret management tools and environment variable systems. Client credentials shared with us are handled as Confidential Information under our Terms of Service and are deleted or rotated upon project completion.

Secure Development Practices

Our engineering team follows secure coding practices including:

• Input validation and output encoding to prevent injection attacks (SQLi, XSS, etc.)
• Dependency auditing and regular updates to address known CVEs
• Code review as a standard part of our development workflow
• HTTPS/TLS enforcement on all web-facing systems we build and operate
• Parameterised queries and ORM-based database interactions to prevent SQL injection
• Authentication and authorisation checks implemented at the API and service layer
• OWASP Top 10 awareness incorporated into our development standards

Data Handling

Client data is processed only on systems with appropriate access controls and encryption. We do not store client production data on personal devices. We use encrypted communication channels for all sensitive exchanges.

Infrastructure Security

Our own infrastructure is hosted on reputable cloud providers with industry-standard security certifications. We apply security patches and updates in a timely manner and conduct periodic reviews of our security posture.

DemoniX Labs offers cybersecurity services including penetration testing, secure architecture design and review, threat modelling, code security audits, and compliance readiness assessments (OWASP, SOC 2, ISO 27001).

Scope of Security Engagements

All security assessments are conducted within a clearly defined and mutually agreed written scope. We will not conduct testing, scanning, or access of any systems, networks, or data outside the explicitly authorised scope. The Client is responsible for obtaining all necessary authorisations for systems hosted on external infrastructure or shared with third parties.

Point-in-Time Assessment Limitation

Security assessments represent a snapshot of the security posture at the time of engagement. The identification of vulnerabilities does not guarantee that all vulnerabilities have been found. New vulnerabilities may emerge after the assessment due to new attack techniques, software updates, or changes made to the system. DemoniX Labs is not liable for security incidents arising from vulnerabilities not identified in an assessment or from changes made after assessment delivery.

Penetration Testing Authorisation

By engaging DemoniX Labs for penetration testing, the Client confirms they have the legal right and authority to authorise testing of all systems within the defined scope. The Client indemnifies DemoniX Labs against any claims arising from the authorised testing activities.

We welcome responsible reporting of security vulnerabilities discovered in our own website (demonixlabs.com) or any infrastructure we operate.

How to Report

If you believe you have discovered a security vulnerability in our systems, please report it privately and promptly to: security@demonixlabs.com. Please include a description of the vulnerability, steps to reproduce it, potential impact, and your contact details.

What We Ask of Researchers

• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Do not access, modify, or delete data belonging to us or our clients
• Do not perform testing that could degrade the performance or availability of our systems
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (coordinated disclosure)
• Act in good faith and within the spirit of this policy

Our Commitments

We will acknowledge receipt of your report within 5 business days, investigate in good faith, keep you informed of our progress, and work to remediate confirmed vulnerabilities in a timely manner. We will not pursue legal action against researchers who act in good faith in accordance with this policy.

When engaging DemoniX Labs for any service, the Client accepts the following security responsibilities:

• Rotate any credentials, API keys, or access tokens shared with DemoniX Labs upon project completion
• Maintain the security of all systems, code, and infrastructure after handoff from DemoniX Labs
• Apply security patches and software updates to delivered systems in a timely manner
• Implement appropriate access controls for any systems built by DemoniX Labs before exposing them to end-users
• Not introduce unapproved third-party code or configurations into systems under active development without prior notification
• Notify DemoniX Labs promptly of any security incidents that may affect shared systems or data during an active engagement

DemoniX Labs is not responsible for security degradation resulting from actions taken by the Client or third parties on systems after the engagement has concluded.

In the event of a suspected or confirmed security incident affecting our systems or Client data under our stewardship during an active engagement, we will:

• Notify the affected Client without undue delay upon confirmation of the incident
• Contain the incident and take immediate steps to prevent further unauthorised access or data loss
• Investigate the incident to determine its scope and root cause
• Provide the Client with a written incident summary including findings and remediation steps taken
• Cooperate with the Client and relevant authorities as required by applicable law

Notification to regulatory authorities (e.g., under GDPR) is the responsibility of the Client as the data controller, unless otherwise agreed in writing.

DEMONIX LABS DOES NOT WARRANT THAT ANY SECURITY ASSESSMENT, PENETRATION TEST, CODE AUDIT, OR SECURITY ARCHITECTURE REVIEW WILL IDENTIFY ALL VULNERABILITIES OR THAT IMPLEMENTATION OF RECOMMENDATIONS WILL RESULT IN A COMPLETELY SECURE SYSTEM. NO SECURITY MEASURE OR ASSESSMENT IS ABSOLUTE.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, DEMONIX LABS'S LIABILITY ARISING FROM SECURITY SERVICES SHALL BE LIMITED AS SET OUT IN OUR TERMS OF SERVICE. DEMONIX LABS IS NOT LIABLE FOR ANY DATA BREACH, SECURITY INCIDENT, OR DAMAGE OCCURRING AFTER THE DELIVERY OF SECURITY ASSESSMENT REPORTS, OR ARISING FROM THE CLIENT'S FAILURE TO IMPLEMENT RECOMMENDATIONS.

We may update this Security Policy from time to time as our practices evolve or in response to changes in the threat landscape or applicable regulations. We will update the date at the top of this page when changes are made.

For questions about this policy or to report a security issue, contact: security@demonixlabs.com