| Question | Answer |
|---|---|
| Do you store or process customer data? | Only during active engagements. All client data is purged within 14 days of engagement completion. Written purge confirmation is provided to the client. |
| Do you have a data retention policy? | YES Maximum 14-day retention post-engagement. See the Data Handling & Retention Policy document for full details. |
| How do you handle data in transit? | TLS 1.2 or higher for all web-based data transfers. Client-approved encrypted methods (SFTP, secure portals, OneDrive for Business) for file transfers. Unencrypted protocols are never used. |
| What encryption do you use? | Full-disk encryption on all devices used for client work. TLS 1.2+ for all data in transit. Client-approved encrypted methods for file sharing. Encryption keys are never stored with client data. |
| Do you conduct background checks? | Available upon client request at no additional cost. |
| Question | Answer |
|---|---|
| Do you require access to production systems? | Only when the engagement scope explicitly requires it. All production access is scoped to the minimum necessary, time-bound, and provisioned by the client. Access is never standing or bulk-granted. |
| How do you handle credentials? | Client credentials are never stored locally on consultant devices. Client-provisioned accounts only — no personal accounts used. All access is revoked within 24 hours of engagement completion, with written confirmation provided. |
| Do you use MFA? | YES Multi-factor authentication is required on all client-provisioned accounts. No exceptions. Approved methods include TOTP authenticator apps, hardware security keys, and enterprise push-based MFA (Duo, Okta Verify). |
| Do you maintain audit logs? | YES Activity logs are maintained for every engagement — documenting every system accessed, action taken, and change made. Logs are delivered to the client as part of engagement deliverables. |
| Question | Answer |
|---|---|
| Do you use subcontractors? | Not without prior written client approval. This is a solo practice. In the event subcontractor involvement is required and approved, all subcontractors are bound by the same security requirements as the primary consultant. |
| Do you have professional liability insurance? | Errors & Omissions (E&O) insurance to be obtained prior to first engagement. Current status will be confirmed on request with certificate of insurance provided. |
| Can you sign our NDA? | YES We require a mutual NDA before every engagement. Our standard mutual NDA template is available for legal review. We can also execute client-provided NDAs subject to review. |
| Do you have a responsible disclosure policy? | YES Public responsible disclosure policy covers our own properties and services. Vulnerabilities discovered in client systems during engagements are reported directly and immediately to the client per our Engagement Security Controls. |
| Question | Answer |
|---|---|
| What is your incident response process? | Security incidents are reported to the client's designated contact within 2 hours of discovery (business hours). Preliminary written assessment provided within 4 hours. Containment recommendations delivered within 24 hours. Full written incident report within 72 hours. |
| Do you have a business continuity plan? | Solo practice with documented handoff procedures. All deliverables are stored in client-owned systems to ensure continuity regardless of consultant availability. A formal handoff package can be prepared for longer engagements on request. |
I certify that the information provided in this vendor risk assessment is accurate and complete to the best of my knowledge. I understand that material changes to the above information will be communicated to affected clients promptly.