Legal · 04 / 06

Trust & Security

Last updatedJanuary 14, 2026
Versionv1.0
EntityVelvet Storm LLC · Wyoming
Reading time~12 min

01Security philosophy

Security is a property of the system, not a feature bolted on late. We design every engagement to (a) minimize the data collected, (b) limit who can see it, (c) encrypt it in transit and at rest, (d) log who touched it, and (e) be able to delete it on request without breaking anything else.

We align our controls with the trust services criteria of SOC 2 (Security, Availability, Confidentiality), the ISO/IEC 27001 Annex A control set, NIST SP 800-53 Rev. 5 (Low-Moderate baseline), the CIS Critical Security Controls v8 IG1/IG2, and the technical and organizational measures required by GDPR Article 32.

02Data protection

Encryption

  • In transit. TLS 1.3 (with TLS 1.2 fallback) for all client and admin traffic. HSTS is preloaded for velvetstormseo.com. All admin endpoints reject plaintext HTTP at the edge.
  • At rest. AES-256-GCM for client data in databases, object storage, and backups. Disk-level encryption on every workstation, enforced by MDM.
  • Email. TLS where the recipient supports it. Sensitive material is shared via end-to-end-encrypted channels.

Data minimization & segregation

  • We collect the minimum personal data needed for the named purpose. The categories and purposes are listed in our Privacy Policy.
  • Each client engagement is stored in a separate logical workspace. No cross-client data sharing without written instruction.

Backups

  • Production data is backed up encrypted, off-site, with a 30-day rolling retention.
  • Backup restorability is tested at least quarterly.

03Access control & identity

  • Least privilege. Access to client data is granted only to staff assigned to that engagement, and only at the level needed (read, write, or admin).
  • Unique credentials. Shared accounts are forbidden. Every staff account is unique on every system.
  • Multi-factor authentication. Hardware security keys (FIDO2 / WebAuthn) are required on every vendor, hosting, and email account. SMS-based 2FA is not permitted for staff.
  • Password hygiene. Credentials are generated and stored in a zero-knowledge password manager. Minimum 16 characters, unique per account, rotated on suspicion of compromise.
  • Onboarding/offboarding. Access is provisioned from a single source of truth and revoked within four business hours of role change or termination.
  • Periodic review. Permissions are reviewed quarterly. Stale accounts are removed.

04Secure development lifecycle

  • Source code lives in private Git repositories with signed-commit enforcement and branch protection. No force-push to protected branches.
  • Code review by a second engineer is required for every change merged to production.
  • Static analysis & secret scanning run on every pull request. Pre-commit hooks block accidental commits of API keys, tokens, and certificates.
  • Dependency management. Software dependencies are monitored daily for known CVEs via automated advisory feeds. Critical and high-severity vulnerabilities are patched within seven days; medium within 30.
  • Production secrets are stored exclusively in encrypted environment variables managed by our hosting providers (Vercel, Cloudflare). They are never committed to source control.
  • Deployment. Production deploys go through immutable, reproducible builds. Rollback is one-click.

05Infrastructure & network

We operate on managed cloud infrastructure rather than self-hosted servers, so we inherit the strong physical and network security of best-in-class providers and focus our attention on the application layer.

  • Web hosting: Vercel (SOC 2 Type II, ISO/IEC 27001).
  • DNS / CDN / WAF: Cloudflare (SOC 2 Type II, ISO/IEC 27001/27017/27018, PCI-DSS).
  • Payments:Stripe (PCI-DSS Level 1, SOC 1 & SOC 2 Type II).
  • Email: Fastmail (ISO/IEC 27001, SOC 2).

We do not maintain any on-premise servers. Cloudflare's WAF blocks common attack patterns (OWASP Top 10) before requests reach our application. Rate limiting and bot management are enabled by default.

06Monitoring, logging & auditing

  • Application and server access logs are collected and reviewed for anomalies.
  • Authentication events (sign-in, password change, MFA reset) are logged and retained for 12 months.
  • Alerts fire on unusual activity (impossible-travel logins, high-volume API errors, sustained 5xx).
  • Quarterly internal review of access logs, permission grants, and vendor list.

07Incident response

We maintain a written incident-response playbook covering detection, containment, eradication, recovery, and post-incident review. The first responder is whoever detects the incident; escalation to the designated security lead happens within one hour.

Breach notification timelines

  • GDPR (Art. 33–34): notification to the competent supervisory authority within 72 hours of becoming aware of a personal-data breach likely to result in a risk to rights and freedoms; notification to affected individuals without undue delay if the risk is high.
  • US state laws: we will notify affected residents in accordance with the applicable state breach-law timeline (typically 30–60 days), and notify state attorneys general where required.
  • Active clients: we will notify the named client contact in writing within 24 hours of any incident involving their data, regardless of whether external notification is required.

08Vendor & sub-processor management

Every sub-processor with access to client personal data is bound by a written data-processing agreement (or equivalent contract). We review the security posture of each before onboarding and on a recurring basis.

The current list of sub-processors is published in our Privacy Policy. Active clients receive 14 days' advance notice of any material change to that list.

09People & training

  • Background checks for new contractors handling client data, where lawful.
  • Confidentiality and security obligations in every contractor agreement.
  • Annual security and privacy refresher training, including phishing-recognition exercises.
  • Clean-desk policy. Workstations auto-lock after five minutes idle. Disk encryption mandatory.

10Coordinated vulnerability disclosure

If you believe you have found a security vulnerability in velvetstormseo.com or any deliverable we built, please tell us before going public.

Where to report
security@velvetstormseo.com — preferred, monitored.
What to include
Affected URL or endpoint, steps to reproduce, expected vs. actual behavior, your assessment of impact, optional proof-of-concept.
Our commitment
Acknowledge within 2 business days, status updates at least weekly, fix within 90 days for high/critical issues.
Safe harbor
Good-faith research conducted under this policy will not be pursued under the Computer Fraud and Abuse Act, DMCA §1201, or equivalent state laws.

Out of scope

  • Findings from automated scanners without manual validation.
  • Social engineering, physical attacks, or denial-of-service testing.
  • Issues in third-party services we use but do not control.
  • Self-XSS, missing best-practice security headers without a concrete exploit, and clickjacking on pages without sensitive actions.

11Certifications & audits

We are a small studio and do not currently hold our own SOC 2 or ISO/IEC 27001 attestation. Where our work supports clients with regulated workloads, we will adopt the additional controls necessary to meet their auditor's requirements and provide evidence on request.

Each of our core infrastructure providers is independently audited — see Section 5 for details. Their current audit reports are available on request, subject to NDA.

12Contact

Security questions or reports:

Velvet Storm LLC
Attn: Security
1343 Bowman Ave
Sheridan, WY 82801
security@velvetstormseo.com

Effective date: January 14, 2026. Last updated: January 14, 2026.

Need this in another form?

If you'd like a signed PDF copy, or this policy translated, or a redline against a previous version — email us and we'll send it over.

Email us
PrivacyTermsCookiesTrust & SecurityAcceptable UseAccessibility