How we
handle reports.

Pre-launch. The disclosure process below is live now. Once we publish a public-facing report-and-track tool (or sign on with a coordinated-disclosure platform), we'll update this page and link the canonical channel here.

Reporting a vulnerability

If you've found a security issue in Nine·Tails — credentials exposure, broken access control, injection, anything — please write to hello@ninetailsagency.com with:

• A short description of the issue.
• Steps to reproduce, or a working proof of concept.
• The version of the product and the page or endpoint where you saw it.

We aim to acknowledge every report within one business day and to share an initial assessment within five business days. We won't pursue legal action against good-faith researchers reporting in good faith.

What we ask in return

• Don't exfiltrate, retain, or share customer data beyond what's necessary to demonstrate the issue.
• Don't run automated scans against production.
• Give us a reasonable window to fix and ship before public disclosure — typically 90 days, sooner for trivial fixes, longer for severe issues that need migration.

How we handle data

The full text lives in Privacy Policy, but the short version:

• All data in transit is encrypted with TLS.
• Data at rest is encrypted by our database and storage providers.
• Production access is limited to a small, audited group of named engineers.
• We don't sell your data, share it with advertisers, or train external models on it.
• Customer Data is processed on documented instructions per the Data Processing Addendum.

Subprocessors

The current list is in Privacy §5 and the formal DPA Appendix A. We notify customers in advance of new subprocessors via email and an in-product banner.

Incident response

In the event of a confirmed breach affecting Customer Data, we notify the affected customer within 72 hours of confirming the incident. Notification includes the scope, the data categories involved, the remediation steps taken, and the steps we're recommending the customer take.

Bug bounty

We don't run a paid bounty program at this time. We're a small team. If you find something significant, we'll thank you publicly (with your permission), credit you in the changelog, and — when we're financially able — settle up properly.

Contact

Security questions, disclosures, audit requests — write to hello@ninetailsagency.com.