How we operate.
Our engagements are confidential by default. The infrastructure below is the public-facing surface of how we run the firm.
Engineering & operational
All engagement artifacts are encrypted at rest and in transit. Source repositories are private by default; access is principle-of-least-privilege with hardware-backed MFA. Production deployment is segregated from engagement code.
Engagement defaults
Every engagement is governed by a mutual NDA before any sensitive material is exchanged. We do not publish customer names. Reference conversations are arranged firm-to-firm under written permission only.
Roadmap
SOC 2 Type II and ISO 27001 readiness assessments are in scope for the firm's second year. GDPR-aligned data-processing agreements are available on request for EU-domiciled engagements.
Infrastructure providers.
Listed in the order they touch the firm's data. None of these providers ever receive client engagement artifacts.
| Provider | Purpose | Region |
|---|---|---|
| Vercel | Static site hosting + edge compute | Global |
| Resend | Briefing-request notifications | EU / US |
| Cloudflare | DNS, WAF, network security | Global |
| GitHub | Source control | US |
Reporting a vulnerability.
Suspected security issues in our public website or in any open artifact we publish should be reported to [email protected]. Our PGP key fingerprint and acknowledgement policy will be published with the firm's first formal security advisory.