SOC 2 Type II
Security, availability & confidentiality
Home / Trust & Security
We ask clients to trust us with their most sensitive systems. We earn it by holding our own operation to the same standard we hold theirs — and by being transparent about how we do it.
// COMPLIANCE
Independent attestations and reports are available to clients and prospects under NDA.
Security, availability & confidentiality
Information security management
Cardholder-data environments
Data protection by design
// HOW WE OPERATE
Client data is encrypted in transit and at rest. Findings are exchanged only through our hardened, access-controlled portal.
Access to engagement data is role-scoped, time-boxed, MFA-protected, and fully audit-logged.
Every consultant is background-checked, under strict confidentiality obligations, and trained in safe handling of sensitive data.
We run a hardened, monitored internal estate and apply the same secure-SDLC discipline to our own tooling.
We collect only what an engagement requires, and securely destroy client data on an agreed schedule after delivery.
A documented, tested IR plan governs how we detect, contain, and communicate in the unlikely event of a security event.
// YOUR DATA
Engagement data is processed in the region you choose — the United States, Australia, or Singapore — and never leaves it without your written agreement.
We maintain a current list of subprocessors and will notify you of material changes. After delivery and any agreed retention window, client data is cryptographically destroyed and a certificate of destruction is available on request.
Questions about our practices, or need our latest reports? Email [email protected] or review our security.txt.
Send us your security questionnaire or request our SOC 2 report, pen-test attestation, and subprocessor list — we will turn it around fast.