Trust and security posture.

SUMMIT REACH LLC handles a narrow set of personal data on this marketing site (contact-form submissions, request logs) and a much larger set under client engagements (production data, model inputs, operational telemetry). The posture below applies to both. Where engagement-specific controls differ, they are spelled out in the per-engagement DPA — see /dpa.

• In transit — TLS 1.3 enforced site-wide. HSTS with a one-year max-age and preload. No mixed content. Internal service-to-service traffic uses mutual TLS or an authenticated VPN.
• At rest — AES-256 on production data stores. Cloud-managed keys (AWS KMS / GCP KMS) with per-environment isolation. Backups are encrypted with the same keys.
• Secrets — never committed. Stored in a hosted secrets manager with access logged. Local development uses scoped, time-limited tokens.

• SSO — Google Workspace is the identity provider for the team. Every system that supports SSO is wired to it.
• Two-factor — hardware security keys (YubiKey 5) for every team member with production access. TOTP only as a fallback.
• Credential vault — 1Password Business. No shared accounts. Provisioning and deprovisioning are documented and rehearsed.
• Least privilege — production read access is named and revocable; production write access requires a paired session and is logged. Quarterly access review on every active client engagement.
• Background checks — every team member with production access has cleared a US background check before that access is granted.
• Devices — managed laptops with full-disk encryption, automatic patching, EDR. Lost device = remote-wipe inside the same business day.

• Minimisation — we collect only what the engagement needs. Sample / synthetic data preferred during development.
• Segregation — every client engagement lives in its own cloud account or its own project, with its own IAM boundary and its own logs.
• Retention — client data is held only for the duration of the engagement plus the agreed retention window. Default retention after termination is 30 days unless contracted otherwise.
• Deletion — at engagement end, all client data and derivative artefacts are deleted from active stores within 30 days. Encrypted backups expire on their own rolling schedule (90 days).

• An on-call rotation covers every active engagement. The runbook is the same one we hand to client teams at handoff.
• Acknowledge within 1 hour of pager during business hours; within 4 hours otherwise.
• Contain as the first action — even if root-cause is unknown.
• Notify the affected client point-of-contact for any incident touching their data, within 24 hours of containment, regardless of severity.
• Personal-data breach — supervisory-authority notification inside 72 hours of awareness, per GDPR Article 33; affected data subjects notified without undue delay where required.
• Post-mortem — written, blameless, shared with affected clients inside 7 days. Action items are tracked publicly until closed.

The current list lives at /subprocessors. Adding a subprocessor that processes personal data triggers a 30-day notice on that page; clients may object.

• RPO — 24 hours for production systems we operate on behalf of clients (the daily snapshot).
• RTO — 4 business hours for tier-1 systems; 1 business day for tier-2.
• Geographic redundancy — multi-AZ inside the primary region by default; cross-region replication available on request as a contract term.
• Tested — restore tests at least quarterly per active engagement.

If you have found a security issue with this site or a system we operate, email security@summitreachsoft.com. We commit to:

• Acknowledge inside 24 hours.
• Not pursue legal action against good-faith researchers acting within the scope below.
• Provide a fix-or-mitigation timeline inside 5 business days.
• Credit reporters in a public hall-of-thanks if they wish.

In scope: summitreachsoft.com and any subdomain we publish. Out of scope: client-operated systems (those are reported to the client), denial-of-service testing, social engineering, physical attacks on staff or premises.

• We operate inside client SOC 2 / ISO 27001 / HIPAA programmes today.
• SUMMIT REACH LLC is not currently SOC 2 certified as an entity. A SOC 2 Type I engagement is targeted for Q1 2027, Type II 12 months after. We will not claim certification until it is signed.
• Independent penetration test of the public site and infrastructure is targeted for Q3 2026.
• EU/UK personal-data processing relies on the EU–US Data Privacy Framework where applicable and the Standard Contractual Clauses + UK IDTA where it is not. See /dpa.

• Q3 2026 — third-party pentest, hall-of-thanks public, formal vulnerability disclosure policy with safe-harbor wording.
• Q4 2026 — internal security training programme certified to a published curriculum.
• Q1 2027 — SOC 2 Type I.
• Q1 2028 — SOC 2 Type II.

Security questions, RFP inquiries, vulnerability reports — security@summitreachsoft.com.