How we protect what you hand us.

• MFA required for all operators.
• SSO via [Okta / Google Workspace / Azure AD — FILL IN].
• Least-privilege principle: each operator accesses only the accounts and permissions required for their scope.
• Just-in-time or time-bound access where the client's platform supports it.
• Access reviews documented [monthly / quarterly — FILL IN].

• Client cloud accounts, SaaS tools, banking, and documents always remain under client ownership.
• We operate inside your tenancy, not ours, and do not store copies.
• For internal artifacts (notes, runbooks, monthly reports): [tool name — FILL IN], encrypted at rest with [encryption standard — FILL IN].

• Background checks before any client access is granted.
• NDA signed by all team members.
• Access revoked within [X — FILL IN] hours of any team member departure.
• Recurring security training for all operators.

• Two-person review for high-impact changes: production environments, financial transactions above a set threshold, and contract signing.
• Audit logs and traceability maintained in client-native logs.
• Documented incident response runbook with notification SLA.

"We operate to SOC 2 Type II principles today, with formal certification targeted for [Q2 2027 — FILL IN]."

We already follow SOC 2 Type II controls across access management, availability, and confidentiality. Formal third-party certification is on our roadmap. We're happy to share our control details under NDA with any prospect or client that requires it.