Our security, compliance, and data practices
We sell security. So our own security has to be right. This page is the documentation enterprise procurement teams ask for. Our practices, roadmap, subprocessors, and policies.
How we secure the engagement
Identity & Access
- SSO required for all internal tools via Google Workspace
- Phishing-resistant MFA (FIDO2 hardware keys) on all privileged accounts
- Principle of least privilege across all systems
- Quarterly access reviews
- Just-in-time access for sensitive operations
Data Protection
- Encryption at rest on all workstations (FileVault, LUKS)
- TLS 1.3 for all transmission
- Client engagement data encrypted with customer-specific keys
- Data retention limited to engagement lifecycle + audit requirement
- Secure deletion at engagement close
Endpoint Security
- EDR (CrowdStrike Falcon) on all workstations
- Disk encryption mandatory
- Host-based firewall enabled
- Operating system and software patches within 30 days of release
- Lost/stolen device procedure with remote wipe capability
Network Security
- ZTNA via Cloudflare Access for all production access
- No traditional VPN. Identity-aware proxy only
- DNS filtering (Control D) on all endpoints
- Segmented testing networks for engagement work
- Dedicated isolated infrastructure for each client
Application Security
- Website hosted on Vercel (SOC 2 Type II, ISO 27001)
- CSP, COOP, COEP, HSTS headers enforced
- Rate limiting on all public forms
- Turnstile CAPTCHA on free-check form
- Dependabot and SCA scanning in CI
Incident Response
- Documented incident response plan
- 24-hour notification to clients for incidents affecting engagement data
- Annual tabletop exercise
- External forensics firm on retainer
- Cyber insurance coverage in force
Current posture and upcoming certifications
We are honest about our certification status. The roadmap below shows what is in place today and what is scheduled. If you need us certified before we can engage, the timeline below is what you need to know.
CT LLC registration and good standing
Connecticut business entity in good standing
Cyber insurance (E&O + Cyber Liability)
Professional liability and cyber coverage in force
SOC 2 Type II
Readiness in progress; Type I targeted for late 2026
ISO 27001:2022
Planned for 2027 alongside SOC 2 Type II
CMMC 2.0 Level 2
For DoD-facing engagements; scoped 2027
Vendors with access to engagement data
Vendors we use that may process client data or engagement metadata. All have SOC 2 Type II and/or ISO 27001 certification. Changes to this list are communicated to active clients with 30 days notice.
| Vendor | Purpose | Certification |
|---|---|---|
| Google Workspace | Email, calendar, document storage | SOC 2, ISO 27001, ISO 27017/18, FedRAMP |
| Vercel | Website hosting | SOC 2 Type II, ISO 27001 |
| Cloudflare | DNS, DDoS protection, Zero Trust access | SOC 2, ISO 27001, FedRAMP |
| GitHub | Source code hosting for website | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email delivery | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2, ISO 27001 |
| 1Password | Secrets and password management | SOC 2 Type II, ISO 27001 |
| Signal | Out-of-band engagement communication | Open source, E2EE |
Found a security issue in our website?
We maintain a published security.txt at /.well-known/security.txt with current contact information.
Researchers acting in good faith following our policy are protected from legal action. We aim to acknowledge reports within 48 hours, triage within 5 business days, and remediate critical issues within 7 days.
- valtikstudios.com and subdomains
- Valtik-hosted infrastructure (not subprocessor infrastructure)
- Denial of service attacks
- Social engineering of employees
- Physical attacks
- Subprocessor infrastructure (report directly to the vendor)
Documents available under NDA
Full policy documents are available to prospects and active clients under NDA. Request via the free-check form with a note on what you need.
Need a vendor security questionnaire completed?
Request the questionnaire response from the free-check form. Include your due date. We typically return completed questionnaires within 2 business days.