CORPORATE SECURITY POLICIES

Acceptable Use

Don't be a jerk. Don't break the law.

Access Control

You get access if you need it, nothing more. We review this regularly. Authentication requires a physical security key—no exceptions.

Artificial Intelligence

We use AI heavily, but we do not allow models to be trained on your data.

Business Continuity & Backups

If disaster strikes, we've got tested backups ready to restore critical systems. We're a single-person company, so communication is simple. Worst case? We're all licensed ham radio operators.

Change Management

Every production change is documented. All code and config changes are reviewed before going live. Dev stays separate from production.

Compliance

We're working towards SOC 2 and GDPR compliance with annual third-party audits. Issues get tracked and fixed on schedule.

Data Lifecycle

Everything's encrypted at rest and in transit. The only customer data we store is for caching, with a maximum TTL of 28 days.

Incident Response

Something breaks? We fix it fast and will notify customers within 24 hours if it's critical. Same deal for security incidents.

Physical Assets

We track every device. Full disk encryption on everything. When retiring devices, we destroy all data using NIST SP 800-88 compliant techniques.

Risk Management

We conduct yearly risk assessments to spot threats and build long-term mitigation plans.

Security Operations

We typically avoid maintaining our own operating system stacks, but when we must - we keep our environments patched, firewalled, and monitored. Critical patches are applied within 8 hours.

Vendor Management

We avoid 3rd-party vendors when possible. The ones we use face rigorous yearly security reviews. Currently, we only trust:

• Google Cloud: Cloud Run, Cloud Logging, and Drive
• GitHub: Source code