Security Practices

Last updated: 2026-06-29

1. Our Commitment

Corvexor Labs takes a pragmatic, defence-in-depth approach to security. Because we build AI agents, automation pipelines, and SaaS products that often handle sensitive client data and integrate with third-party APIs, security is a first-class concern — not an afterthought.

This page describes our current practices. It is not a contractual guarantee; see section 10 for our disclaimer.

2. Data in Transit

All data exchanged between users and our website, and between systems we build and external services, is encrypted using TLS 1.2 or higher. We do not support legacy SSL or TLS 1.0/1.1 protocols.

Our website and projects we deploy are served through Cloudflare, which enforces HTTPS, provides DDoS mitigation, and blocks common web-layer attacks via its Web Application Firewall (WAF).

3. Data at Rest

Where projects we build store sensitive data (e.g. API keys, user credentials, personally identifiable information):

  • Sensitive values are stored in environment variables or secret management services, never hard-coded in source code.
  • Passwords are hashed using modern algorithms (e.g. bcrypt, Argon2) and never stored in plaintext.
  • We advise clients on appropriate encryption-at-rest configurations for their hosting environment.

4. Access Control and Least Privilege

  • We apply the principle of least privilege: each service, API key, and integration is granted only the minimum permissions required.
  • Production credentials are not used in development or staging environments.
  • Access to client repositories, cloud accounts, and infrastructure is revoked promptly upon project completion or team change.
  • We use multi-factor authentication (MFA) on all platforms where it is available.

5. Dependency Hygiene

  • Project dependencies are reviewed at the start of each engagement and monitored for known vulnerabilities during active development.
  • We use automated tooling (e.g. npm audit, pip-audit, Dependabot alerts) to surface high-severity CVEs.
  • Deprecated or unmaintained packages are avoided where possible and flagged for replacement.

6. Hosting and Infrastructure

  • Our website is hosted on Cloudflare Pages with no persistent server-side compute, minimising attack surface.
  • Client projects are deployed to environments chosen with security in mind (e.g. managed cloud services with VPC isolation, private endpoints, and automatic patching).
  • We do not store client data on our own servers beyond what is needed to complete a project.

7. Secure Development Practices

During development engagements, we apply the following:

  • OWASP Top 10 awareness in code review and architecture decisions.
  • Input validation and output encoding to prevent injection attacks (SQL injection, prompt injection, XSS).
  • Rate limiting and authentication on public-facing APIs.
  • Secrets scanning to prevent accidental credential commits.

8. Responsible Disclosure

If you discover a security vulnerability in our website or in a product we have built, we ask that you:

  1. Do not exploit the vulnerability or access data beyond what is needed to confirm its existence.
  2. Email your findings to hello@corvexorlabs.com with the subject line [Security Disclosure].
  3. Include: a description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code (if applicable).

We will acknowledge your report within 2 business days and aim to provide a remediation timeline within 10 business days. We will not pursue legal action against good-faith researchers who follow this process.

9. Incident Response

In the event of a confirmed security incident affecting client data:

  • We will notify affected clients as soon as practicable and no later than 72 hours after becoming aware of the breach (in line with GDPR obligations where applicable).
  • We will cooperate fully with investigations and take immediate steps to contain and remediate the issue.
  • A post-incident summary will be provided upon request.

10. No Guarantee Disclaimer

No system is completely secure. While we apply industry-standard security practices, we cannot guarantee that our website or the systems we build will be free from vulnerabilities, breaches, or attacks. Our liability for security incidents is limited as set out in our Terms of Service.

11. Contact

Security enquiries and responsible disclosure: hello@corvexorlabs.com