Home / Trust & Security

Security we practice,
not just preach.

We ask clients to trust us with their most sensitive systems. We earn it by holding our own operation to the same standard we hold theirs — and by being transparent about how we do it.

// COMPLIANCE

Standards we operate to.

Independent attestations and reports are available to clients and prospects under NDA.

SOC2

SOC 2 Type II

Security, availability & confidentiality

ISO

ISO/IEC 27001

Information security management

PCI

PCI DSS

Cardholder-data environments

GDPR

GDPR & Privacy

Data protection by design

// HOW WE OPERATE

Security practices.

Encryption everywhere

Client data is encrypted in transit and at rest. Findings are exchanged only through our hardened, access-controlled portal.

Least privilege

Access to engagement data is role-scoped, time-boxed, MFA-protected, and fully audit-logged.

Vetted personnel

Every consultant is background-checked, under strict confidentiality obligations, and trained in safe handling of sensitive data.

Secure by default

We run a hardened, monitored internal estate and apply the same secure-SDLC discipline to our own tooling.

Data minimization & retention

We collect only what an engagement requires, and securely destroy client data on an agreed schedule after delivery.

Incident response

A documented, tested IR plan governs how we detect, contain, and communicate in the unlikely event of a security event.

// YOUR DATA

Where your data lives, and for how long.

Engagement data is processed in the region you choose — the United States, Australia, or Singapore — and never leaves it without your written agreement.

We maintain a current list of subprocessors and will notify you of material changes. After delivery and any agreed retention window, client data is cryptographically destroyed and a certificate of destruction is available on request.

Questions about our practices, or need our latest reports? Email [email protected] or review our security.txt.

Due diligence made easy.

Send us your security questionnaire or request our SOC 2 report, pen-test attestation, and subprocessor list — we will turn it around fast.