Trust & security.

This Trust & Security page describes the public security posture for Rusty Harbor's website and typical client work. A signed scope sheet, DPA, NDA, or security addendum may add project-specific controls.

• HTTPS/TLS is expected for the public website and delivered client sites.
• Static-first builds are preferred where they reduce server and plugin attack surface.
• Dependencies are reviewed and updated during active projects and care plans.
• Secrets are kept out of source code and deployment logs where reasonably possible.
• Administrative access is limited to people who need it for the engagement.

• We use least-privilege access and separate client workspaces where practical.
• Credentials are stored in password managers or client-approved vaults, not in public repositories.
• Client production access is removed or reduced after handoff unless a care plan requires it.
• We do not use client confidential data to train AI models unless the client expressly authorizes that use.
• We ask clients not to send regulated data unless the project scope covers it.

Client projects may use hosting, DNS, analytics, form, booking, CMS, email, payment, repository, and monitoring vendors chosen for the project. We disclose material vendors in the scope, handoff notes, or on request. We prefer vendors that support HTTPS, access controls, exportability, and reasonable data processing terms.

If we discover a security incident affecting Rusty Harbor systems or client work under our active care, we investigate, contain the issue, preserve useful evidence, notify affected clients when appropriate, and support legally required breach notifications.

Please report suspected vulnerabilities to security@rustyharborseo.com. Include the affected URL, steps to reproduce, impact, and your contact information. Do not access, alter, delete, exfiltrate, or publicly disclose data that is not yours.

Rusty Harbor is a small web development and SEO studio. We do not currently claim SOC 2, ISO 27001, PCI-DSS, HIPAA, or FedRAMP certification for our own business. If a client project requires a regulated environment, that requirement must be raised before signature and scoped with qualified counsel or auditors.