Security

01Our Security Commitment

Security is not a department at SEC.co — it is the business. We hold ourselves to the standard we set for clients, and we treat the data entrusted to us as we would defend our own most sensitive systems. This page describes the safeguards that protect our organization, our infrastructure, and client data we handle in the course of delivering the Services.

Our program is aligned to recognized frameworks including the NIST Cybersecurity Framework, NIST SP 800-53, and ISO/IEC 27001, and is designed to satisfy the requirements of SOC 2 and the regulated industries we serve.

02Governance & Personnel

• Senior, vetted personnel. Our practitioners are experienced professionals. All personnel undergo background screening consistent with applicable law prior to engagement, and where client contracts or regulations require it, we staff engagements with U.S. citizens working from the United States.
• Security training. All personnel complete security and privacy awareness training at onboarding and at least annually, with additional role-specific training for engineers and incident responders.
• Confidentiality obligations. All personnel and contractors are bound by written confidentiality and acceptable-use agreements.
• Defined ownership. Security policies, risk management, and the incident-response program are owned by named leadership and reviewed on a recurring cadence.

03Access Control

• Least privilege. Access to systems and client data is granted on a need-to-know basis, scoped to the specific engagement, and revoked promptly upon role change or departure.
• Multi-factor authentication. MFA is enforced on all internal systems, administrative interfaces, and remote access. Hardware-backed or phishing-resistant authenticators are used for privileged access.
• Privileged access management. Administrative access is restricted, logged, and subject to just-in-time elevation and review where appropriate.
• Periodic access reviews. Access rights are reviewed on a recurring basis and after material organizational or engagement changes.

04Data Protection & Encryption

• Encryption in transit. Data transmitted to and from our systems and the Site is encrypted using current TLS standards.
• Encryption at rest. Data at rest is encrypted using strong, industry-standard algorithms, with key management following least-privilege and separation-of-duties principles.
• Data minimization. We collect and retain only the data necessary to deliver the Services, and we segregate client data by engagement.
• Secure disposal. When data is no longer required, it is securely deleted or rendered unrecoverable in accordance with our retention schedule and contractual obligations.

05Infrastructure & Network Security

• Hardened, segmented infrastructure. Production systems are segmented from corporate systems, and network access is controlled by default-deny firewalling.
• Endpoint protection. All endpoints run managed endpoint detection and response (EDR) with centralized monitoring.
• Vulnerability management. We scan, prioritize, and remediate vulnerabilities across our systems on a continuous basis and subject our own environment to periodic independent testing.
• Secure development. Code changes follow review and change-management practices, with dependency and secrets scanning integrated into our pipelines.

06Monitoring & Detection

We operate continuous monitoring across our endpoints, identity providers, cloud infrastructure, and network, with centralized logging and alerting. Detections are triaged by senior analysts, and we conduct proactive threat hunting informed by current intelligence. Logs are retained in accordance with our policies and applicable contractual and regulatory requirements.

07Incident Response

We maintain a documented incident-response plan with defined roles, severity classification, escalation paths, and communication procedures, and we exercise it regularly. In the event of a security incident affecting client data, we will respond in accordance with our incident-response plan and the notification obligations set out in the applicable client agreement and Data Processing Addendum, and as required by law. Clients with an incident-response retainer receive the response service levels defined in their engagement.

08Resilience & Business Continuity

We maintain backup, disaster-recovery, and business-continuity practices designed to preserve the availability and integrity of critical systems and data. Backups are encrypted, access-controlled, and periodically tested for restorability. Our 24/7 security operations are designed for continuity across personnel, shifts, and locations.

09Compliance & Independent Assurance

Our program is designed and operated to meet the expectations of the frameworks and regulations relevant to our clients, including SOC 2, ISO/IEC 27001, HIPAA, PCI DSS, CMMC, and NIST 800-171. We undergo independent assessment as appropriate and can provide relevant attestations or summaries to clients and prospects under NDA.

To request our current security documentation, attestations, or to complete a vendor security review, contact security@sec.co.

10Sub-Processors & Vendor Management

We carefully select and assess the third-party providers that support our operations, binding them to contractual confidentiality and data-protection obligations and monitoring them on a risk-tiered basis. Where we process client personal data, our use of sub-processors is governed by the applicable Data Processing Addendum, including any notice and objection rights set out there.

11Reporting a Security Concern

If you believe you have found a security vulnerability in our Site or systems, we want to hear from you. Please review and follow our Responsible Disclosure Policy, which describes how to report safely and the protections we extend to good-faith researchers.