Least-privilege defaults.
Each team member has access only to the clients they work on. Shared workspaces use scoped roles. New team members go through a 24-hour access review before getting client credentials.
Security
How we secure your data. And how to tell us if we slipped.
We are a five-person firm. We do not pursue formal SOC 2 audit because the cost of audit at our scale exceeds the value to clients. We do follow practices aligned with SOC 2 controls. Below is what we actually do, in plain text.
What we use
Third-party tools that hold client data.
| Tool | Purpose | SOC 2 / ISO |
|---|---|---|
| Google Workspace | Email, documents, calendar | SOC 2 Type II |
| Notion | Client workspace, project tracking | SOC 2 Type II |
| 1Password | Shared credentials | SOC 2 Type II |
| Stripe | Payment processing | SOC 1, SOC 2, PCI |
| Mercury | Banking | SOC 2 |
| FormSubmit | Contact form processing | HTTPS only |
| Cloudflare | Site hosting and CDN | SOC 2 Type II, ISO 27001 |
A full data processing agreement (DPA) is available on request from any client. Email [email protected].
Practices
What we actually do.
At rest and in transit.
All client data is stored in tools that encrypt at rest (AES-256) and in transit (TLS 1.2+). We do not maintain our own servers or unencrypted backups.
Hardware-key 2FA.
Every team member uses YubiKey or platform passkey on every account that holds client data. SMS 2FA is disabled across the firm. Password reuse is forbidden and enforced via 1Password monitoring.
Quarterly subprocessor review.
Every quarter we re-verify each subprocessor's compliance posture. We notify clients in writing 30 days before adding a new subprocessor that will hold their data.
Documented and tested.
If a security incident occurs, we notify affected clients within 72 hours with a written description, scope, and remediation plan. The runbook is reviewed annually.
We collect what we need.
We do not store payment card information (handled by Stripe). We do not store credentials to client systems beyond a temporary scope of the engagement. We do not sell or share client data.
Responsible disclosure
If you found a vulnerability.
We welcome reports from security researchers. Please email [email protected] with a description of the issue, steps to reproduce, and any proof of concept. We acknowledge within 24 hours and provide a written response with a timeline within five business days.
Scope
- getdigitize.com and any subdomain
- Our public forms (contact, intake)
- Email infrastructure (sending domain spoofing, SPF/DMARC issues)
Out of scope
- Findings against third-party services we use (report directly to that vendor)
- Social engineering attacks against our team
- Physical attacks against any GetDigitize team member or office
- Denial of service or load testing
Acknowledgments
We publicly thank researchers who report valid vulnerabilities (with their permission). The acknowledgment list will appear here once we have one.
Common questions
Security FAQ.
How do I report a vulnerability?
Email [email protected]. We acknowledge within 24 hours and provide a written response within five business days. See /.well-known/security.txt for the full policy.
Are you SOC 2 compliant?
No. We are a five-person firm and SOC 2 is not a meaningful certification at our scale. We follow practices aligned with SOC 2 controls (encryption, access controls, vendor due diligence) but do not pursue formal audit. We are happy to discuss our actual practices in detail with security teams.
Where is client data stored?
Notion (workspace data), Google Workspace (email, docs, calendar), 1Password (credentials), Stripe and Mercury (payment data). All providers are SOC 2 Type II certified. We do not maintain our own servers or databases.
Do you have a data processing agreement (DPA)?
Yes. We sign DPAs with any client that requires one, including GDPR-relevant terms for clients with EU users. Email [email protected] to request.
How long do you retain client data?
Active client data: for the life of the engagement plus 12 months. Past client data (case studies, press logs): indefinitely unless deletion is requested. Email logs: 36 months. Form submissions from prospects: 24 months.