How we secure this site

The site runs on an edge serverless runtime with TLS terminated at the platform edge. Static assets and SSR responses are served from a geographically distributed network. The serverless runtime executes in a per-request isolate; there is no persistent file system that one request can use to read another.

Public visitors interact with the site anonymously. Internal admin views (the chat console and testimonial moderation) require Google sign-in plus an explicit admin role check on every request. There are no shared service passwords for admin access.

We collect only what we need to respond to inquiries, run the assessment, and improve the site. See the privacy notice and cookie policy for categories, lawful bases, and retention windows.

Personal-data tables in our database enforce row-level access policies. Privileged backend operations require an authenticated admin role.

Connections are HTTPS only. We send HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers, and a Content Security Policy in report-only mode while we tune the allowlist. Embedding in third-party frames is disabled.

Every change is gated by automated tests, lint, typecheck, and a dependency audit on each pull request. High and critical advisories block the merge. Production deployments only ship from the default branch after those checks pass.

If you believe you have found a security issue, please report it via /.well-known/security.txt. We acknowledge legitimate reports within five business days and do not pursue good-faith researchers who follow the reporting guidelines linked there.

We use a documented incident-response plan based on NIST SP 800-61. A public summary of the framework we apply to client engagements is available at /incident-response-plan.

Dephiant Consulting advises clients on SOC 2, ISO 27001, NIST CSF, ISO 42001, and similar frameworks. Statements about this website's own certification status will only be published here when confirmed in writing by Dephiant. Until then, the controls described above are the source of truth for the website itself.