Security & data protection
The same posture, every scope.
This marketing site holds no customer data. Client engagements carry documented controls per project. Both are stated below, including the controls we do not have.
Stated as verification states, not as a badge wall.
01 · This site
No backend, no customer data.
The site is a static export on Cloudflare Pages. The controls below are set in the response headers and the build configuration, and you can read both: the source is named on each row.
- Static export. No backend, no database, no login, no customer data at rest on our infrastructure.enforcednext.config.mjs
- TLS at the Cloudflare edge, with HSTS preloaded for two years across subdomains.enforced_headers · HSTS
- MIME sniffing disabled and framing denied, so the browser cannot guess a content type or embed the site in a frame.enforced_headers · nosniff, DENY
- Camera, microphone, and geolocation switched off by Permissions-Policy. Referrers trimmed cross origin.enforced_headers · Permissions-Policy
- Aika the concierge runs on a Cloudflare Worker we operate. The API key stays server side; the origin is locked to this site.enforcedWorker · CORS
enforced on this sitedocumented per engagementnot in scope
Form submissions
Routed through a Cloudflare Worker we operate, with a honeypot and a per IP rate limit. Retained for 24 months.
Aika conversations
Retained for 30 days on Cloudflare KV so we can keep tuning the concierge. No third party analytics, no replay, no cookies, no localStorage on the visitor side. One sessionStorage flag stops Aika greeting a returning visitor twice in the same tab; it clears when the tab closes.
02 · Client engagements
Documented per project.
Engagement controls are written into each contract and verified for that build. They are not enforced on this site, so the register marks them per engagement, and names the one control that is out of scope here.
- Field level encryption on sensitive free text before storage. Database encryption at rest via managed providers.per engagementper project
- Tenant isolation enforced at the database layer on multi tenant builds, not in application middleware.per engagementper project
- Data residency pinned to region. India regulated work stays in India; others follow jurisdiction.per engagementper project
- Scoped roles on every service, with no wildcards on data plane resources. Read and write events logged.per engagementper project
- Standing penetration test schedule and a third party certification.not in scopestated below
enforced on this sitedocumented per engagementnot in scope
Incident responseClients are notified in writing within 72 hours of a confirmed incident.
03 · What we do not have
Said straight.
- Not SOC 2 Type II audited.
- Not ISO 27001 certified.
- PCI DSS not in scope for any current engagement.
- Penetration tests run per engagement, not on a standing schedule for this marketing site.
04 · Performance
We publish the measurement.
We do not print a target on the homepage. The last PageSpeed Insights run on the live site is below, carried as a dated figure. It is re measured at each relaunch and the date moves with it.
05 · Compliance posture
What we work to.
- GDPR
- We act as processor or controller depending on the engagement. A data processing agreement is available before execution via /legal/dpa. Data subject requests are answered inside 30 days.
- DPDP Act 2023
- India. Purpose limitation, consent handling, field level encryption on sensitive personal data, and audit trails.
- Standard Contractual Clauses
- Applied to EU data transfers where they are required.
Question about scope or controls?
Send a note and we will route you to the right document.