Security Policy

Effective Date: 20-May-2023
Last Updated: 22-April-2025

SVTech Consulting Services, LLC (“SVTech,” “we,” “our,” or “us”) is a single-member limited-liability company committed to protecting client information—including payment data processed through Stripe. This Security Policy outlines the practical, proportionate safeguards we maintain as both service provider and security officer.

1 Governance and Responsibility

• As the sole member–manager, we design, implement, and review all security controls at least once per year—or sooner if laws, Stripe requirements, or the threat landscape change.

• Any independent contractor we engage must sign a confidentiality and data-protection agreement before receiving client information.

2 Payment-Card Data Protection

• We never store raw cardholder data. All payments flow directly through Stripe’s PCI DSS Level 1 infrastructure.

• Our website and payment links use HTTPS with TLS 1.2+.

• Stripe Radar, 3-D Secure, and address verification are enabled to mitigate fraud.

3 Encryption of Data in Transit and at Rest

• All client files travel over encrypted channels (HTTPS, S/MIME, or secure file-share links).

• Deliverables, recordings, and project notes reside on encrypted disk volumes (AES-256) within a zero-trust cloud account. Our local workstation is full-disk-encrypted.

4 Access Control and Authentication

• We work from a single, dedicated workstation protected by strong OS-level credentials and a hardware security key (FIDO2) for MFA.

• Every cloud dashboard or repo uses MFA and, where supported, IP-restricted logins.

• Access logs are retained and reviewed monthly for anomalies.

5 Endpoint and Network Security

• The workstation runs auto-updating EDR/antivirus and a reputable firewall.

• System and application patches install within 72 hours of release (24 hours for critical CVEs).

• Guest Wi-Fi is segmented from the work network when clients visit onsite.

6 Backup, Continuity, and Incident Response

• Project data is backed up nightly to encrypted, geographically separate storage; backups are retained 30 days.

• If an incident occurs, we will (i) contain it within four hours of discovery, (ii) complete root-cause analysis within 48 hours, and (iii) notify affected clients and, where applicable, Stripe without undue delay, consistent with GDPR/CCPA breach-notification rules.

7 Third-Party Service Providers

• Besides Stripe, any third-party tool that handles client files (e.g., transcription or cloud storage) must publish SOC 2 or ISO 27001 attestations (or equivalent).

• We review each provider’s security posture annually.

8 Data Retention and Destruction

• Client deliverables are retained for 12 months unless a longer period is legally required or mutually agreed.

• At the end of the retention period—or upon verified client request—we securely erase files using NIST SP 800-88 compliant methods.

9 Client Responsibilities

• Use strong, unique passwords for any shared portals and enable MFA where possible.

• Never email raw payment details; always use the secure Stripe link we provide.

• Report any suspected security issue immediately to security@svtechconsultingservices.com.

10 Policy Updates

Material changes take effect 14 days after posting. Continued use of our services after that date signifies acceptance.

11 Contact

Security questions or concerns?
Email: security@svtechconsultingservices.com
Phone: +1 6146382145
Mailing Address: SVTech Consulting Services, LLC, [Insert Address]

By engaging SVTech Consulting Services, LLC, you confirm that you have read, understood, and agree to this Security Policy.