Security at Foundry Cyber
Last updated 20 May 2026
Short version. We hold ourselves to the same standards we hold our customers to. UK data residency. Read-only access by default. Named-identity engineers. No shared passwords, no agents on customer laptops, no training AI on customer data. This page tells you exactly what we do, what we don't (yet) claim, and how to reach us if you find a vulnerability.
Frameworks we align to
We use the same control frameworks we render reports against for customers. We treat them as how-to documents, not certificates to collect:
- NIST Cybersecurity Framework (CSF) 2.0: the structural backbone for how we think about identify / protect / detect / respond / recover.
- NCSC Cyber Assessment Framework (CAF): the UK government framework we map governance and resilience to.
- NIST SP 800-53 Rev. 5: the control catalogue we reference when something needs more depth than CSF alone provides.
- Cyber Essentials: the UK baseline we expect every supplier to clear.
We are not currently Cyber Essentials Plus, ISO 27001 or SOC 2 certified. We are working toward Cyber Essentials Plus certification in 2026. We will say so on this page when we have the certificate in hand, not before.
Where customer data lives
- Findings, reports, and audit evidence live on our portal infrastructure, which runs in Microsoft Azure UK South and West Europe regions only.
- Where we can store evidence in your own cloud (SharePoint for Microsoft customers, Google Drive for Google Workspace customers), we do, so the canonical copy never leaves your control.
- Foundry Cyber is UK-headquartered. Data stays within UK and EEA regions and does not leave those regions without your explicit consent. Customers requiring portal data residency in other jurisdictions (US, APAC, Middle East) should raise this in initial conversations. Multi-region portal infrastructure is on our roadmap, but we won't claim residency capabilities we can't honour today.
- Data at rest is encrypted using platform-managed keys (Azure Storage Service Encryption). Data in transit is TLS 1.2 or higher.
- We do not share customer data with third parties for marketing. We do not train AI models on customer data.
How we connect to your environment
- Read-only by default. Every assessment starts with the minimum permission needed to read configuration. Write access is the exception, scoped per remediation engagement, and time-bound.
- No shared passwords. We do not ask for admin credentials. We do not create shared accounts. We do not bypass your MFA. We use each cloud's own pattern for managed service providers: Azure Lighthouse, AWS cross-account roles, GCP service accounts, Google Workspace domain-wide delegation.
- Named identities only. Every Foundry Cyber engineer who touches your environment does so under a personal, attributable identity in our tenant, not a shared service account. Every action is auditable to a person.
- No agents on your laptops. There is nothing for you to install. The whole assessment runs against cloud control planes.
- One-click revocation. You remove our access from your own admin console, on your own timeline, no awkward exit process required.
How we secure ourselves
We don't publish specific product names, versions, or policy details about our own internal stack. That information benefits attackers more than it informs customers. The high-level claims below are what we hold ourselves to. We're happy to walk through specifics under NDA with prospects who need that depth.
- Identity: Phishing-resistant MFA across all staff. Conditional access policies enforce geographic and device-compliance restrictions for administrative actions.
- Endpoints: All staff devices are centrally managed, fully encrypted, and enrolled in continuous endpoint detection and response.
- Secrets: Production secrets are held in cloud-native key management with managed-identity access. No long-lived credentials are checked into source control. Automated dependency scanning and pre-commit checks catch leaks early.
- Code: All code goes through pull-request review. Dependencies are continuously scanned for known vulnerabilities. Production deploys are CI-gated.
- Backups: Customer findings and evidence are geo-redundantly backed up within UK and EEA regions, retention-tiered by customer plan, and tested annually.
- Logging: First-party observability on portal and marketing site usage. We do not run third-party trackers, no advertising pixels, no behavioural analytics outside our own infrastructure.
Reporting a vulnerability
If you believe you've found a security issue affecting Foundry Cyber, our portal, or our marketing site, please tell us. We respond quickly and we will not take action against good-faith researchers.
How to reach us
- Email security@foundrycyber.com.
- Or use the contact form at foundrycyber.com/contact and write "security" in the subject.
What to include
- The affected URL, service, or component.
- A description of the issue and its impact.
- Reproduction steps. A proof of concept if you have one.
- Your preferred contact method for follow-up.
What to expect
- Acknowledgement within one business day.
- Initial assessment within five business days.
- Status updates while we triage and remediate.
- Credit in our advisory if you would like it.
What we ask of you
- Don't access, modify or destroy data that isn't yours.
- Don't run automated scans against production at a rate that would degrade service for our customers.
- Don't social-engineer staff or customers.
- Give us a reasonable window to fix before public disclosure. 90 days is our default; we'll be transparent if we need longer.
Incident response
We maintain an incident response plan that covers detection, containment, eradication, recovery, and post-incident review. If an incident materially affects your data, we will:
- Tell you, in plain English, what happened and what we know.
- Tell you what we're doing about it and what (if anything) we need from you.
- Notify any applicable regulator within their required timeframe (for UK data, that's the ICO within 72 hours of becoming aware of a notifiable personal data breach).
- Publish a public post-incident review once the issue is resolved.
Subprocessors
We use a small number of subprocessors to deliver the service. The current list and what each one does is available on request from hello@foundrycyber.com. A public subprocessors page is on our 2026 roadmap.
Disclosure file
Our machine-readable disclosure policy lives at /.well-known/security.txt, following RFC 9116.
Review
This page is reviewed at least quarterly and whenever there is a material change in how we operate. Last reviewed: 20 May 2026.
Contact
For security questions: security@foundrycyber.com.
For everything else: hello@foundrycyber.com.