A practice-level security posture, stated plainly.
We work inside regulated environments every week. This page is the honest version: what we actually do, what agreements we will sign, who handles your data, and how to reach us if something looks wrong.
- TLS
- 1.3
- Device
- MDM + FDE
- MFA
- Required
- Disclosure
- security@
What is true about how we operate.
None of this is a marketing claim. If a line below is not true on a given engagement, we will tell you before we start.
- All client work happens on managed devices with full-disk encryption (FileVault on macOS, BitLocker on Windows) and an enrolled MDM.
- Client repositories live in client-owned source control where possible. When we host, we use private repositories with branch protection and signed commits.
- Production credentials are never stored in source. Secrets live in client-provided secret managers (AWS Secrets Manager, Azure Key Vault, 1Password Business, Doppler).
- Multi-factor authentication is required on every account that can reach client systems, including email, source control, and cloud consoles.
- All inbound and outbound traffic for nessimworks.com is served over TLS 1.3. HSTS is enforced.
In transit, at rest, and in backups.
TLS 1.2 or TLS 1.3 for every connection. We do not accept self-signed certificates in production paths.
AES-256 on managed devices, cloud-provider managed keys (KMS) for storage we operate, customer-managed keys when the client requires them.
Backups inherit the encryption of the primary store. Backup access uses a separate credential set with its own MFA boundary.
What we will sign before work begins.
- Mutual NDA executed before any sensitive material is shared. Template available on request.
- Business Associate Agreement (BAA) signed before any engagement that touches PHI.
- Data Processing Agreement (DPA) for engagements with EU data subjects.
- Background-check confirmation for engineers assigned to government-facing work, where the contract requires it.
Who else touches the data.
The third parties below process operational data for our practice (email, code, hosting, scheduling). Client-engagement subprocessors are agreed in writing per project.
If something goes wrong.
We acknowledge confirmed incidents to affected clients within 24 hours, with a written post-incident write-up within ten business days covering scope, root cause, and remediation. On engagements where the client owns the production environment, we follow the client’s documented incident process and contribute to the post-mortem. We do not run a public bug bounty; coordinated disclosure runs through the contact below.
What we are not claiming.
- We are a small consulting firm, not a SaaS vendor. We do not currently hold a SOC 2 Type II certification of our own.
- On client engagements we operate inside the client's compliance boundary (HIPAA, FedRAMP, PCI, SOC 2). The certifications and audit history that apply belong to the client's environment, not to us.
- When a client needs evidence at the practice level (background checks, signed policies, MDM attestation) we provide it directly under NDA.
Reporting a vulnerability.
If you believe you have found a security issue affecting nessimworks.com or a service we operate, email security@nessimworks.com. We acknowledge within one business day and ask that you give us fifteen days before public disclosure. We do not pursue researchers acting in good faith.
Talk to us about your engagement.
Discovery calls are free. Scope, timelines, and pricing are quoted after we understand what you’re solving.