Security overview.

This page describes, in plain English, how SUMMIT REACH LLC currently handles security across our own operations. It is a self-description, not a certification. Where we say we do something, we do it; where we do not, we have not pretended otherwise.

We do not currently hold a SOC 2, ISO 27001, HIPAA, or FedRAMP certification. We have shipped work inside our clients' programs and audits — that is not the same thing, and we won't represent it as one.

• Client work is performed only by salaried SUMMIT REACH employees, not by outsourced contractors.
• Every employee signs a confidentiality and intellectual-property assignment agreement on day one.
• All operational accounts use unique credentials, password manager-stored, and require multi-factor authentication (TOTP or hardware key) where the provider supports it.
• Access to client systems is granted per-engagement, scoped to the minimum needed, and revoked at handover.

• Engineer workstations are full-disk encrypted (FileVault / BitLocker / LUKS).
• Workstations require an automatic screen lock and a strong login password.
• Operating system and browser updates are kept current; auto-update is enabled.
• We do not store client data on personal devices.

• Production deployments live in our clients' own cloud accounts (AWS, GCP, Azure, or self-hosted) — we do not co-mingle clients in shared infrastructure we control.
• Where we host supporting infrastructure ourselves, it sits in private VPCs with no public ingress except through documented load balancers, all using TLS 1.2 or higher.
• Secrets are stored in a managed secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault), never in source control.

• We minimize the client data we keep on our own systems. Most client work runs against data in the client's own cloud account.
• When we do hold data — for testing, debugging, or model evaluation — it is encrypted at rest by the underlying provider, and retained only as long as needed.
• We do not train models on client data for our own benefit. Client data trains client models.
• Production data is not copied to laptops. If a sample is needed for development, it is redacted or synthetic.

• All client code lives in version control with branch protections enabled.
• Pull requests require review by a second engineer before merge.
• CI runs unit tests, type checks, and dependency vulnerability scans on every push.
• Production deploys go through automated pipelines with auditable artifacts — no engineer pushes binaries by hand.

• Operational accounts on critical providers have audit logging enabled and logs retained for at least 90 days.
• We maintain an internal incident response runbook and a documented escalation path.
• If we become aware of a security incident affecting client data, we will notify the affected client without undue delay, as required by the relevant Data Processing Agreement and applicable law.

We have shipped systems that operate inside:

• Client SOC 2 Type II programs, against their auditors' controls.
• Client HIPAA-covered workloads, under signed Business Associate Agreements.
• One client environment with CJIS-regulated data.

This means we are familiar with how those programs work and comfortable operating inside them. It does not mean SUMMIT REACH itself is SOC 2, HIPAA, or CJIS certified — those would be audits of our own company, which we have not yet undergone.

If you believe you've found a security issue affecting this website or any system we operate, please email security@summitreachsoft.com. We will acknowledge inside 72 hours and work with you on coordinated disclosure. We do not currently run a paid bug bounty, but we will publicly credit responsible disclosure where you'd like us to.

If you need a Data Processing Agreement, a Business Associate Agreement, a security questionnaire response, or a vendor risk packet, email security@summitreachsoft.com. We respond to these under NDA, with current evidence rather than a marketing description.