How we protect your data.
Short version: we treat your data the way we treat our own. We encrypt everything, log every access, restrict access to a need-to-know basis, and document our process. Long version is below. If your procurement team has specific questions, contact us, we will respond in 1 business day.
Our security architecture, in plain English.
Encryption at rest and in transit
All client data is encrypted at rest (AES-256) on managed cloud storage and in transit (TLS 1.3) across every endpoint. Database connections are encrypted end-to-end.
Least-privilege access
Team members are granted access only to the clients and systems they actively work on. Access is revoked within 24 hours of a project ending. Two-factor authentication is required on every internal system.
Audit logging
Every read, write, and configuration change on client systems is logged with timestamp, actor, and action. Logs are retained for 12 months and available on request.
Vendor and subprocessor governance
We use a small, vetted set of subprocessors (OpenAI, Anthropic, Google AI, Twilio, GoHighLevel, Stripe, AWS, Cloudflare). Each is reviewed annually. Full list available in our DPA.
Incident response
Documented incident response process: detection within 1 hour, containment within 4 hours, customer notification within 24 hours for any breach involving client data.
Backups and recovery
Daily encrypted backups with 30-day retention. RPO 24 hours, RTO 8 hours. Tested quarterly.
Where we are against each standard.
| Standard | Status | Details |
|---|---|---|
| GDPR | Ready | Data Processing Agreement available on every paid engagement. Subject access requests honoured within 30 days. EU data residency available. |
| CCPA / CPRA | Ready | California consumer rights honoured. Right to know, delete, and opt-out of sale supported. |
| HIPAA | BAA available | For healthcare clients we sign a Business Associate Agreement and architect for HIPAA-aligned data handling. |
| SOC 2 Type II | Roadmap | Currently in readiness program. Targeting initial Type I report Q4 2026 and Type II report Q3 2027. |
| PIPEDA | Aware | For Canadian clients we follow PIPEDA principles and can route data through Canadian-resident infrastructure on request. |
| UK GDPR / ICO | Ready | Aligned with UK Information Commissioner Office guidance. DPA covers UK-specific requirements. |
What we actually do, every week.
Annual security review of internal systems and processes
Mandatory quarterly security training for all team members
Penetration testing performed on production systems annually
No production data used in development or testing environments
Customer data never used to train AI models without explicit written consent
Right to data export and deletion exercised within 30 days of request
Procurement team has questions?
Send us your security questionnaire. We respond with a complete answer set in 1 business day. We have answered hundreds of these. Yours will not be the hardest.