Our security, compliance, and data practices
We sell security. So our own security has to be right. This page is the documentation enterprise procurement teams ask for. Our practices, roadmap, subprocessors, and policies.
How we secure the engagement
Identity & Access
- SSO via Google Workspace for internal tools
- MFA on every account; hardware keys for the highest-risk accounts
- Principle of least privilege; access scoped to the engagement that needs it
- Periodic access review aligned to engagement boundaries
Data Protection
- Full-disk encryption on every workstation (FileVault / LUKS / BitLocker)
- TLS 1.2+ for all transmission; TLS 1.3 where the endpoint supports it
- Client engagement data isolated per-client; tokens stored in encrypted vault
- Retention scoped to engagement + audit requirement; secure deletion at close
Endpoint Security
- Modern EDR with cloud management plane (Microsoft Defender for Endpoint baseline)
- Disk encryption mandatory on every workstation
- Host-based firewall enabled by default
- Operating system and security patches applied within 30 days of release
- Documented lost/stolen device procedure with remote wipe
Network Security
- Cloudflare Zero Trust for production resource access
- Encrypted DNS on all endpoints
- Segmented testing environment for active engagement work
- Per-client folder + token isolation; client data not commingled
Application Security
- Website hosted on Vercel (SOC 2 Type II, ISO 27001)
- CSP, HSTS, COOP, COEP headers enforced via middleware
- Rate limiting on all public forms
- Cloudflare Turnstile bot mitigation on lead-intake forms
- Dependabot + SCA scanning in CI; dependencies pinned
Incident Response
- Documented incident response plan covering engagement-affecting incidents
- 24-hour notification commitment to clients for incidents touching their data
- Documented escalation tree to legal counsel and breach-notification counsel
- Coordination with established IR firms for incidents beyond Valtik's scope
Current posture and upcoming certifications
We are honest about our certification status. The roadmap below shows what is in place today and what is scheduled. If you need us certified before we can engage, the timeline below is what you need to know.
CT LLC registration and good standing
Connecticut business entity in good standing
SOC 2 Type II
Readiness in progress; Type I targeted for late 2026
Cyber insurance (E&O + Cyber Liability)
Scoped procurement for 2026; engagement-specific coverage arranged per SOW until policy is in force
ISO 27001:2022
Planned for 2027 alongside SOC 2 Type II
CMMC 2.0 Level 2
For DoD-facing engagements; scoped 2027
Vendors with access to engagement data
Vendors we use that may process client data or engagement metadata. All have SOC 2 Type II and/or ISO 27001 certification. Changes to this list are communicated to active clients with 30 days notice.
| Vendor | Purpose | Certification |
|---|---|---|
| Google Workspace | Email, calendar, document storage | SOC 2, ISO 27001, ISO 27017/18, FedRAMP |
| Vercel | Website hosting | SOC 2 Type II, ISO 27001 |
| Cloudflare | DNS, DDoS protection, Zero Trust access | SOC 2, ISO 27001, FedRAMP |
| GitHub | Source code hosting for website | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email delivery | SOC 2 Type II |
| Stripe | Payment processing | PCI DSS Level 1, SOC 2, ISO 27001 |
| 1Password | Secrets and password management | SOC 2 Type II, ISO 27001 |
| Signal | Out-of-band engagement communication | Open source, E2EE |
Found a security issue in our website?
We maintain a published security.txt at /.well-known/security.txt with current contact information.
Researchers acting in good faith following our policy are protected from legal action. We aim to acknowledge reports within 48 hours, triage within 5 business days, and remediate critical issues within 7 days.
- valtikstudios.com and subdomains
- Valtik-hosted infrastructure (not subprocessor infrastructure)
- Denial of service attacks
- Social engineering of employees
- Physical attacks
- Subprocessor infrastructure (report directly to the vendor)
Documents available under NDA
Full policy documents are available to prospects and active clients under NDA. Request via the free-check form with a note on what you need.
Need a vendor security questionnaire completed?
Request the questionnaire response from the free-check form. Include your due date. We typically return completed questionnaires within 2 business days.