Data Encryption
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Client deliverables and sensitive configuration are never stored unencrypted.
Compliance & Trust
Security-first. Governance built in. Full transparency.
Alpinscape handles client data with intent and rigor. This page details our security controls, the frameworks we align to, and how we protect the systems and data you trust us with.
NIST CSF
Core framework alignment
SOC 2 Oriented
Trust service criteria
GDPR & CCPA
Privacy-aware practices
ISO 27001
Information security aligned
Security controls
We apply layered security practices across every engagement. These are the controls we operate under day to day.
Access Control
Least-privilege access is enforced across all systems. Multi-factor authentication is required. Role-based permissions are reviewed quarterly and revoked on project close.
Vulnerability Management
Dependencies are monitored for CVEs. Third-party tools are evaluated before use. Critical patches are applied within 72 hours of identification.
Incident Response
A documented incident response plan is maintained and tested annually. Clients are notified within 48 hours of any confirmed breach affecting their data.
Business Continuity
Critical project assets are backed up with geographic redundancy. Recovery time objectives are defined per engagement and tested against realistic failure scenarios.
Vendor Risk Management
All subprocessors and tools undergo security review before onboarding. We maintain a current list of vendors with access to client data and review it at least annually.
Frameworks we align to
Our practices are grounded in established security and privacy frameworks. We draw from each to build a practical, defensible posture.
NIST Cybersecurity Framework
We map internal controls to the five NIST CSF functions — Identify, Protect, Detect, Respond, and Recover — providing a consistent baseline across all client engagements.
- Asset inventory and risk assessment
- Protective technology controls
- Anomaly and event detection
- Response planning and communications
- Recovery planning and improvements
SOC 2 Trust Service Criteria
Our controls reflect the SOC 2 criteria across Security, Availability, and Confidentiality. We operate as though our practices will be audited, and documentation reflects that rigor.
- Logical and physical access controls
- System operations monitoring
- Change management procedures
- Risk mitigation policies
ISO 27001 Alignment
Information security management is embedded in project delivery, not bolted on at the end. Our approach reflects the intent of ISO 27001 for all engagements involving sensitive data.
- Information security policies
- Supplier relationship security
- Operations and communications security
GDPR & CCPA Privacy Readiness
We follow data minimization principles, support data subject rights, and help clients reach compliant states on the platforms we integrate. Our data handling respects both GDPR and CCPA where applicable.
- Data minimization and purpose limitation
- Data subject rights support
- Processing agreements available on request
- No sale of personal data
How we handle data
Transparency is part of how we operate. Here is exactly what data we collect, why, and how long we keep it.
| Data type | Purpose | Retention | Shared with |
|---|---|---|---|
| Contact information | Project communication and billing | Duration of engagement + 3 years | Internal team only |
| System credentials | Integration and configuration access | Revoked and deleted at engagement close | Never shared externally |
| Client operational data | Integration design, testing, and QA | Deleted within 30 days of project close | Subprocessors under DPA only |
| Website analytics | Site performance measurement | 90 days (Vercel Analytics) | Vercel only |
| Scheduling data | Meeting coordination | Cal.com retention policy | Cal.com only |
Subprocessors
These are the third-party services that may process client data as part of delivering our services. Each has been reviewed for security practices.
Vercel
Website hosting & analytics
SOC 2 Type II certified. Data processed in the United States.
Cloudflare
Edge network & Workers
SOC 2 Type II, ISO 27001 certified. Global data centers.
Airtable
Content management
SOC 2 Type II certified. Data processed in the United States.
Cal.com
Meeting scheduling
Open-source scheduling infrastructure. GDPR compliant.
Google Workspace
Communication & documents
ISO 27001, SOC 2, SOC 3 certified. GDPR compliant.
Anthropic / Claude
AI-assisted work (internal only)
No client data submitted to AI tools without explicit authorization.
Responsible Disclosure
Found a vulnerability?
We take security disclosures seriously. If you believe you have found a security issue in any Alpinscape system or deliverable, please reach out directly. We commit to acknowledging all reports within 48 hours and working with you on a responsible timeline.
Report a vulnerability
01
Email security@alpinscape.com with a clear description of the issue.
02
We acknowledge receipt within 48 hours and begin investigation.
03
We coordinate on a fix and agree on a disclosure timeline together.
Questions about our compliance posture?
We are happy to share our security documentation, answer framework questions, or walk through our data handling practices with your team.