Trust & security

Security posture, data handling, and procurement documents.

The questions every enterprise security review asks. Published so the back-and-forth happens once, not every quarter.

SECTION.01

Compliance posture

THEFT Studio runs research-led enterprise engagements. We are aligned with industry frameworks. We run the controls, we do not currently carry the formal audit certifications. We are explicit about this so your security team knows what they're buying.

SOC 2 Type II·················································Designed with SOC 2 controls in mind. Not certified. Access, encryption, and logging practices in place
GDPR·················································Designed with GDPR Articles 5, 25, 28, 32, 35 in mind. DPA available on request
EU AI Act·················································Designed with Article 13 transparency and Article 14 human-oversight in mind
ISO 27001·················································Practices designed with Annex A controls in mind. Not currently certified
WCAG 2.2 AA·················································Target conformance for all client-facing UI we ship. Audited per engagement
HIPAA·················································Not certified. PHI workloads require a BAA and a healthcare-specialist partner
SECTION.02

Operational controls

01

Access

MFA on every surface. Least-privilege by default. Hardware key required for production systems. Access reviewed at every phase boundary.

02

Encryption

AES-256 at rest on all managed storage. TLS 1.3 enforced in transit. Client secrets held in named secret managers (1Password, AWS Secrets Manager, Doppler), never in code or chat.

03

Data residency

Work happens inside your infrastructure by default. No shadow data copy on our side. When our systems are required, residency is set to your region: US, EU, or other on request.

04

Audit trail

All access to client systems logged. Logs retained through the engagement plus 90 days post-close. Export available on request before deletion.

05

Incident reporting

Security incidents reported within 24 hours of detection. Root-cause analysis delivered within 5 business days. Incident response designed with NIST CSF 2.0 in mind.

06

AI model use

Client data is not used to train, fine-tune, or embed into any model, ours or third-party, without explicit scoped authorization. Provider APIs (Anthropic, OpenAI, Mistral) are configured with zero data retention and training opt-out.

SECTION.03

Documents available

DPA (Data Processing Agreement)
Available on request · under 10 business days
Subprocessor list
Available on request · updated quarterly
Security questionnaire responses
We complete client questionnaires directly · 5 business days typical
Certificate of insurance (E&O)
Available on request · 2 business days
Incident-response runbook
Shared under NDA as part of pre-engagement security review
SECTION.04

Security contact

Security questionnaires, vulnerability reports, or compliance questions go direct.

Note 'security inquiry' in the message · Response within 24 hours
Ready to move past security review?
30-min discovery call. Proposal within the week.
Book a call
Trust, security, and compliance · THEFT Studio