sitkastack

Security posture

sitkastack handles client data with the same discipline I bring to the AI systems I build for clients. This page describes my current practices, attestations, and what's available on request.

Last updated: May 2026

Compliance status

  • SOC 2 readiness assessment: complete. Available on request.
  • SOC 2 Type 1 attestation: in progress. Audit booked for Q4 2026, report expected Q1 2027.
  • SOC 2 Type 2 attestation: planned, Q2 2027.
  • Cyber liability insurance: $1M coverage. Certificate available on request.

Today's practices

Identity and access

  • Single sign-on across all client-data-handling systems (Google Workspace)
  • Multi-factor authentication enforced on every system
  • Hardware security keys (FIDO2) for sensitive access
  • Quarterly access reviews documented

Device security

  • Mobile device management on all work devices
  • Full-disk encryption (FileVault) enforced
  • Screen lock under 5 minutes
  • Automatic OS updates within 30 days of release

Data handling

  • Per-engagement data handling agreements before any client data is exchanged
  • PII detection and redaction by default in any AI pipeline that processes client data
  • Synthetic test data used in public Framework reference implementations; no real client data ever appears in public artifacts
  • Audit logging on all production AI systems I build for clients

AI-specific practices

  • Prompt injection mitigation built into every production agent I ship
  • Confidence-gated routing with human-in-the-loop for any decision affecting client operations
  • Model cards documented for every model deployed in a client environment
  • Token usage and cost tracking on every production deployment

Vendors and subprocessors

  • Anthropic (Claude API)
  • OpenAI (where used per client requirements)
  • Google (Workspace, Gemini API)
  • Postgres hosting providers (per-engagement, varies)
  • Cloudflare (DNS, edge)

Full subprocessors list available on request, including data handling provisions and DPAs.

Incident response

  • Documented incident response procedure
  • Quarterly tabletop exercises
  • Client notification commitments per engagement contract

Frameworks I align to

sitkastack engagements ship governance artifacts mapped to twelve regulatory frameworks and standards across detailed mappings and engagement-supported categories.

View the full frameworks index

Privacy and data protection frameworks applied as the engagement context requires:

  • PIPEDA (Canada)
  • GDPR (where applicable)

On request, available under NDA

  • Subprocessors list with DPA references
  • Data flow diagrams for typical engagement patterns
  • Incident response procedure
  • Quarterly access review log
  • Cyber liability insurance certificate
  • SOC 2 readiness assessment document
  • Per-engagement security questionnaire response

Contact: robyn@sitkastack.com

For procurement teams: most security questionnaires I receive can be answered by combining this page with the documents listed above. Send your questionnaire and I'll typically respond within 3 business days.