Information Security Addendum
Last updated: July 1, 2026
1. Purpose
This Information Security Addendum (“Addendum”) describes the technical and organizational measures Magdox Private Limited implements to protect Customer Data processed through the FDIE platform. It is incorporated by reference into our Terms of Service and, where applicable, our DPA. Where this Addendum states a control that is plan-dependent, that is noted explicitly; otherwise, described controls apply to all plans and deployment models unless the control is inherently SaaS-only or on-prem-only.
2. Encryption
- In transit: all connections to the FDIE platform are encrypted via TLS. Database connections between the application and PostgreSQL also require TLS.
- At rest: firmware images, analysis results, and account data are encrypted at rest on our infrastructure providers’ managed storage and database services.
- Secrets management: database credentials and other sensitive secrets are never hardcoded into application configuration. They are issued dynamically, scoped to a short lease, and automatically rotated through a dedicated secrets management system, reducing the blast radius of any single leaked credential.
3. Authentication and Access Control
- Multi-factor authentication: FDIE supports TOTP-based MFA and WebAuthn/passkey-based authentication for user accounts.
- Passwordless sign-in: FDIE supports passwordless sign-in via a time-limited, single-use email code as an alternative to a stored password.
- SSO/SAML: Enterprise plans support SAML-based single sign-on with the customer’s own identity provider, centralizing onboarding and offboarding.
- Role-based access control (RBAC): permissions within an organization (who can upload firmware, view results, manage users, or export reports) are governed by role, not left to ad hoc access.
- Multi-tenant isolation: every firmware image, analysis result, and report is scoped to the owning organization at the database layer. FDIE’s data model enforces this isolation on every query: one organization’s data is never visible to another.
4. Application Security
- CSRF protection: state-changing requests are protected using a double-submit token pattern.
- Secure defaults in production: the platform refuses to start in a production configuration with a weak or default signing secret, rather than silently running with reduced security.
- Audit logging: sensitive actions (uploads, exports, user and role changes, authentication events) are recorded in an audit log available to organization administrators.
5. Analysis Engine Integrity
- FDIE’s analysis engine performs deterministic, rule-based static analysis. It does not use generative AI or machine learning to produce findings, and Customer Data is never used to train any model.
- Analysis results are reproducible: the same firmware image analyzed twice produces identical findings, and every finding traces back to a specific binary, string, or configuration value a customer can independently verify.
6. On-Prem Deployment Security
On-Prem Enterprise deployments run entirely within infrastructure the customer controls. License activation uses an offline, Ed25519-signed license file (see Terms of Service Section 9); no firmware or analysis data leaves customer infrastructure as part of the licensing mechanism itself.
7. Availability and Resilience
Availability commitments for SaaS deployments are described in Terms of Service Section 11 and, for Enterprise customers, in the applicable Order Form.
8. Certifications and Audits
Our current certification status is published on our Security and Trust page and updated as it changes. Where a formal certification is not yet complete, we describe our actual controls here and on that page rather than implying a certification we do not hold.
9. Vulnerability Reporting
We welcome reports from security researchers. See our Security and Trust page for our responsible disclosure contact and process.
10. Changes to This Addendum
We may update this Addendum as our security architecture evolves. Material changes will be communicated the same way as changes to our Terms of Service.