# Security Overview

**Stelvox Technologies** · security-overview · v1.1 · 2026

> A plain-language summary of how we run engineering work safely. Designed
> to answer ~90% of a typical security questionnaire without a call. For
> anything not covered here, ask: hello@stelvox.com.

---

## 1. Posture

We are a small, senior studio. Our security model leans on **fewer humans,
tighter controls, and managed platforms** rather than seat-of-the-pants
DIY. Where we can lean on a hyperscaler's controls (Vercel, AWS, Stripe,
Lemon Squeezy), we do.

We are **SOC 2 Type II–aligned** and **ISO 27001–aligned**. We do not yet
hold the certifications themselves and will not represent that we do. If
your procurement process requires a certified vendor, we will tell you on
day one and recommend either a Discovery Sprint scope or a different
provider.

## 2. People

- All personnel sign a contractor or employment agreement with explicit
  confidentiality, IP-assignment, and acceptable-use clauses.
- Background checks for full-time staff handling production credentials.
- Annual security-awareness training. Topics: phishing, social engineering,
  credential hygiene, secure code, incident response.
- Offboarding within 24 hours of separation: credentials revoked, devices
  wiped or returned, access reviews conducted.

## 3. Devices

- Company devices use full-disk encryption (FileVault / BitLocker / LUKS).
- Screen-lock auto-engages after 5 minutes idle.
- MDM-enforced patch baseline: OS security updates installed within 7 days.
- Anti-malware: macOS XProtect, Windows Defender, Linux equivalents.
- No client data stored on local devices long-term; ephemeral working
  copies are encrypted and removed on engagement close.

## 4. Identity and access

- Centralised SSO across primary tooling (Google Workspace, GitHub,
  Vercel, AWS, password manager).
- Mandatory hardware-key or TOTP MFA on all admin accounts.
- Least-privilege defaults; production access limited to named engineers
  per engagement.
- Quarterly access reviews against active engagements.
- Shared service accounts forbidden; emergency break-glass account exists
  in a sealed envelope with usage logged.

## 5. Code and change management

- All production code lives in GitHub with branch protection on `main`.
- Two-person review for merges to production branches.
- Signed commits required where the customer's policy requires them.
- Static analysis: ESLint / Ruff / Clippy in CI. SAST optional per SOW.
- Dependency monitoring via Dependabot or equivalent; high-severity CVEs
  patched within 7 days.
- Secrets stored in a managed secret manager (Doppler / Vercel env / AWS
  Secrets Manager); never committed.

## 6. Infrastructure

- Production hosting on Vercel (default) and Hostinger VPS (where chosen
  for latency or regulatory reasons). Both with EU-region defaults.
- TLS 1.2+ on all public endpoints; HSTS enabled.
- Encryption at rest: managed by provider (AES-256 or equivalent).
- DDoS protection at the edge via Vercel / Cloudflare.
- Daily backups with encrypted off-site copies; restore tests quarterly.

## 7. Logging and monitoring

- Application logs centralised; 90-day minimum retention on production.
- Authentication events logged for all production systems.
- Anomaly alerting on auth failures, privilege escalations, and unusual
  API call patterns.
- Uptime monitoring with public status page where the customer wishes.

## 8. Incident response

- Documented incident response plan with named on-call rotation.
- Severity classification: SEV-1 (data loss / outage) through SEV-4
  (cosmetic).
- For Client Personal Data breaches: **notification within 48 hours** of
  awareness, per the DPA.
- Annual tabletop exercise. Post-mortems written and shared with the
  affected Client.

## 9. Subprocessors and supply chain

Listed in the DPA (`dpa.md` §4). New subprocessors notified 14 days in
advance to the named billing contact.

## 10. Business continuity

- Code in version control, mirrored across providers.
- Documented runbooks for each production system handed over to the
  Client at engagement close.
- Studio-level continuity: at least two engineers cross-trained on every
  active engagement.

## 11. Open points

We publish what we don't yet do, openly:
- SOC 2 Type II audit: in progress, target completion 2026-Q3.
- ISO 27001 certification: scoped, not yet engaged with auditor.
- 24×7 SOC: not in scope; off-hours coverage is best-effort and named in
  the SOW.

## 12. Questions

For anything not covered: hello@stelvox.com. We respond to security
questionnaires within five business days. For anything urgent, mark the
email subject `[SECURITY URGENT]`.

---

*Reviewed: 2026-Q1. Next review: 2026-Q3.*