Our Security Program

• MFA by default; device and data encryption; endpoint protection/EDR.
• Role-based access reviews; patching and vulnerability management.
• Secure backups and change control; vendor risk reviews and DPAs as applicable.
• Staff security training and annual policy reviews.

Incident Response

Written IR plan with defined roles and escalation paths.

• Detection → triage → containment → forensics → remediation → recovery.
• Notify affected clients and relevant parties within 24 hours of a confirmed incident (or faster if required).
• Coordinate with sub-processors and deliver a post-incident report with corrective actions.

Data Protection & Privacy

• Data identification/classification and retention policies.
• Encryption in transit/at rest; audit logging; secrets management.
• Mobile device management for corporate endpoints.

Compliance & Commitments

• SOC 2: Not currently certified; aligned to best practices.
• CDI/CUI: Plan to be capable via a segregated, NIST SP 800-171/CMMC-aligned enclave when required.
• Responsible AI & Accessibility: Plain-language UX, multilingual options, ADA/Section 508 considerations.
• Supplier Diversity: See our Supplier Diversity & Sustainability page.

Subprocessors & Data Location

We minimize third-party access. A current list of subprocessors and data-location details is available upon request under NDA.