VendorFoxBack to home
Cyber Security
No scanning • No agents • No credentials

Security by design.Minimal by intention.

VendorFox delivers lifecycle, firmware and advisory intelligence without network access, scanning, agents or credentials. We are intentionally designed to operate outside your production environment — keeping the risk profile deliberately low.

Last updated: 21 February 2026

How it worksBreach impact
No network access
No credential storage
Account isolation
Encrypted data

Interaction model

How VendorFox interacts with your environment

VendorFox operates outside your infrastructure. You provide device metadata (manually or via approved integrations), and VendorFox maps that to official vendor lifecycle notices, firmware guidance and security advisories.

What we do not do

  • Connect to customer networks
  • Scan devices
  • Execute code remotely
  • Collect live telemetry
  • Require credentials

What we do

  • Interpret vendor lifecycle and support policies
  • Provide firmware guidance and upgrade paths
  • Filter vendor advisories to what applies

No direct infrastructure access

Diagram
Diagram showing how VendorFox operates outside customer infrastructure using device metadata and vendor intelligence sources, without scanning, agents, credentials, or inbound access.

Data boundaries

What we store — and what we never store

Data stored

  • Device model identifiers
  • Firmware versions (as provided)
  • Quantities
  • Customer-defined tags and metadata
  • User account details (name, email, role)

Data never stored

  • Credentials or secrets
  • Device configurations
  • IP addresses or subnets
  • Network topology or diagrams
  • Physical site locations
  • Live telemetry or monitoring feeds

Key point

VendorFox cannot access or control customer infrastructure. The platform is designed to deliver value without operational entry points.

Platform security

Security and isolation

VendorFox is a logically multi-tenant platform with strict account isolation. Users can only access data associated with their authenticated account.

Access control

Authenticated access with role-based permissions and account-scoped enforcement.

Tenant separation

Backend enforcement prevents cross-account access and unauthorised queries.

Encryption

Data is encrypted in transit (TLS) and encrypted at rest within managed cloud infrastructure.

VendorFox is hosted within a managed cloud environment operated by a globally recognised provider maintaining internationally recognised security certifications (including ISO 27001). Specific infrastructure details are not publicly disclosed for security reasons.

AI transparency

AI data handling

VendorFox uses AI to interpret vendor lifecycle notices, firmware guidance and security advisories. Processing is controlled and account-scoped.

Account-scoped processing

  • Only the minimum required metadata is processed
  • Processing is limited to the originating account
  • Responses are stored only within that account

No training on customer data

VendorFox does not share customer data between accounts and does not monetise customer data. AI providers do not use VendorFox customer data to train public models.

Risk containment

If VendorFox were compromised

No system can claim absolute immunity from compromise. VendorFox is intentionally designed so compromise does not create operational entry points into customer infrastructure.

What an attacker would not gain

  • Network access
  • Credentials or secrets
  • Device configurations
  • IP addressing or topology
  • Infrastructure control

What may be exposed

Stored metadata only: model identifiers, firmware versions, quantities and customer-defined tags. This enables lifecycle and advisory intelligence, but does not provide operational access.

Responsible disclosure

Report a security concern

If you believe you’ve identified a vulnerability, we welcome responsible disclosure. Please email our security contact with details and steps to reproduce where possible.

support@vendorfox.ai

Coordinated disclosure