LEGAL · TRUST & SECURITY

Trust & Security

How EMERALD STATIC LLC secures the data we hold, the subprocessors we use, our incident-response posture, and how to request a Data Processing Agreement.

Last updated

Jan 13, 2026

Version

v1.0

Entity

EMERALD STATIC LLC

Registered

Sheridan, Wyoming, USA

§ 01

Plain-English summary

EMERALD STATIC LLC is a small studio, not a Fortune-500 enterprise. We are honest about the size of our security programme: it is appropriate for the type of work we do and the type of data we hold, but we are not a SOC-2-audited cloud platform and we do not pretend to be.

We hold three categories of data: (a) marketing-form submissions from this website; (b) client-engagement records (contracts, invoices, project files); (c) credentials clients grant us so we can do the work on their accounts. We treat all three as confidential and apply the controls below.

Enterprise prospects who need a more formal posture — security questionnaires, a DPA, a subprocessor register, or a private security review — can request one by emailing legal@emeraldstatic.com. We will respond within 5 business days.

§ 02

Security governance

The studio principal is accountable for security. Day-to-day security operations are handled by the lead engineer (CH-A1) with input from the operations lead (OPS-1).

We review our security posture formally at least once a year and informally whenever something changes — a new subprocessor onboarded, a new role added, a new high-risk feature shipped.

We are not currently SOC 2 Type II certified. We follow the principles of the AICPA Trust Services Criteria (Security, Availability, Confidentiality) but have not commissioned a third-party audit. ISO 27001 certification is also not in scope at our current size.

§ 03

Technical controls

We apply standard, well-documented controls proportional to the sensitivity of the data we hold.

Encryption in transit: TLS 1.2 or higher on every public-facing endpoint we run, with HSTS enabled. Internal service-to-service traffic uses encrypted transports.
Encryption at rest: AES-256 (or stronger) on managed databases and object stores. Full-disk encryption (FileVault / BitLocker) on every team laptop.
Authentication: Hardware security keys (FIDO2 / WebAuthn) or TOTP multi-factor authentication on every account that supports it, including email, code hosting, CRM, accounting, cloud provider, and password manager. We do not use SMS as a second factor.
Access control: Role-based access. Least-privilege defaults. Production credentials live in a single shared password vault with granular sharing; only the engineers who need them have access.
Endpoint security: Hardened, up-to-date laptops with automatic security patching, EDR, and remote-wipe capability.
Network: All traffic on this site is fronted by Cloudflare for DDoS mitigation, bot management, and edge caching. The origin is not publicly addressable.
Application security: All dependencies are scanned for known vulnerabilities (npm audit / Dependabot) on every build. Pull requests fail CI if a high-severity vulnerability is introduced.
Backups: Daily encrypted backups of all critical systems. Quarterly restore drills. 90-day retention with rotation.
Logging and monitoring: Centralised application and access logs. Uptime monitoring on every production endpoint. Alerts route to an on-call channel.
Vulnerability management: Critical patches applied within 7 days of disclosure. High-severity within 30 days. Medium and low on a quarterly cadence.

§ 04

Subprocessors

We use a small number of well-known service providers ("subprocessors") to deliver our services. Each subprocessor is reviewed at onboarding for its own security posture, certifications, and contractual data-protection commitments. We re-review the list at least annually.

Current subprocessors that handle personal data on our behalf:

Google Workspace (Google LLC): Email, calendar, document storage. United States. ISO 27001/27017/27018, SOC 2 Type II, SOC 3.
HubSpot (HubSpot, Inc.): CRM, contact records, sales pipeline. United States. SOC 2 Type II, ISO 27001.
Xero (Xero Limited): Invoicing and bookkeeping. United States / New Zealand. ISO 27001, SOC 2 Type II.
Notion (Notion Labs, Inc.): Internal project documentation. United States. SOC 2 Type II.
GitHub (GitHub, Inc., a Microsoft company): Source code, design assets, deployment configuration. United States. SOC 1 Type II, SOC 2 Type II, ISO 27001.
Figma (Figma, Inc., now Adobe): Design files and collaboration. United States. SOC 2 Type II.
Plausible Analytics (Plausible Insights OÜ): Cookieless site analytics. European Union (Germany). GDPR-by-design, ISO 27001 in progress.
Postmark (ActiveCampaign): Transactional email delivery. United States. SOC 2 Type II.
Fathom Video (Fathom Video, Inc.): Recorded video calls and AI summaries, with consent of both parties. United States. SOC 2 Type II.
Cloudflare (Cloudflare, Inc.): DNS, CDN, DDoS mitigation, edge hosting. Global. ISO 27001, ISO 27018, SOC 2 Type II, PCI-DSS Level 1.
1Password (AgileBits Inc.): Encrypted credential storage. Canada. SOC 2 Type II.

If we add, remove, or replace a subprocessor that processes personal data on behalf of an active client, we update this list within 14 days and notify clients on a Data Processing Agreement at least 30 days before the change takes effect, where required by the DPA.

§ 05

Data Processing Agreement (DPA)

Where we process personal data on a client’s behalf (acting as processor under GDPR, or service provider under CCPA), we will execute our standard Data Processing Agreement on request. Our DPA includes:

EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Modules 2 and 3 as applicable.
The UK Addendum (International Data Transfer Agreement, ICO version A1.0) for transfers governed by UK law.
A subprocessor flow-down clause with the right to object on reasonable grounds.
A 72-hour personal-data breach notification commitment.
Audit rights, satisfied by an annual self-assessment summary or, where required, a written response to a security questionnaire.
Confidentiality and security obligations consistent with GDPR Articles 28 and 32.

Email legal@emeraldstatic.com with "DPA request" in the subject. We typically return a signed DPA within 3 business days.

§ 06

Incident response

We follow a documented incident-response runbook. The high-level steps are:

Detect — alerts from monitoring, reports from subprocessors, or notification from a third party.
Triage — within 4 hours, classify severity and convene a response team led by the studio principal.
Contain — isolate affected systems, rotate credentials, revoke access tokens.
Notify — for personal-data breaches, notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay where there is a high risk to their rights. For client incidents, notify affected clients within 24 hours of confirmation.
Eradicate and recover — remove the cause, restore from clean backups if necessary, and confirm normal operations.
Review — within 14 days of resolution, write a post-incident report including root cause, impact, remediation, and prevention measures. Share with affected clients.

We have not had a reportable personal-data breach since the studio was founded. If we do, we will tell the people affected.

§ 07

Handling client credentials

When you grant us access to your hosting account, CMS, Google Search Console, analytics, or any other third-party tool, we follow these rules:

Prefer delegated access (e.g. Google account invitation, GitHub team membership) over shared usernames and passwords.
Where shared credentials are unavoidable, they are stored only in 1Password, encrypted at rest, with access limited to engineers on the project.
We never email or chat passwords in plain text and we never store them in our CRM, project notes, or code repositories.
When an engagement ends, your credentials are exported, returned to you in a format you can store, and removed from our systems within 14 days.
If you suspect a credential we hold has been compromised on our side, email legal@emeraldstatic.com immediately and we will rotate it within 4 hours.

§ 08

Security of sites we build

Every site we ship for a client includes the following security baseline at no additional cost:

HTTPS-only with TLS 1.2+ and HSTS preload eligibility.
A modern Content Security Policy (CSP), Referrer-Policy, Permissions-Policy, and X-Content-Type-Options header set.
Subresource Integrity (SRI) hashes for any third-party scripts we elect to include.
Automated dependency scanning with weekly Dependabot pull requests through our care plan.
Cloudflare WAF (or equivalent) protecting the origin.
Documented backup and restore procedure for the CMS and any forms data.

Care-plan clients also receive: monthly security-patch deployment, quarterly access reviews, on-call same-day response for security incidents, and an annual third-party scan against the OWASP Top 10.

§ 09

Responsible disclosure

If you are a security researcher and you believe you have found a vulnerability in this website or in any infrastructure we operate, please report it to legal@emeraldstatic.com (or to security@emeraldstatic.com, which routes to the same inbox).

Our commitments to good-faith researchers:

We will acknowledge receipt within 2 business days.
We will provide a triage assessment within 7 days.
We will not pursue legal action against researchers who follow this policy in good faith — meaning they avoid privacy violations, service disruption, and data destruction, and give us a reasonable time to fix before disclosing.
We will credit you (with your consent) in any public write-up of the issue.

We do not currently offer monetary bug bounties. We are happy to send a hand-written thank-you and a small token of appreciation.

§ 10

Compliance posture

We design and operate to the following regulatory frameworks. Where a framework requires certification we do not yet hold, we say so honestly.

GDPR (EU) and UK-GDPR: Compliant on our own processing. DPA available on request for client-processor relationships. See /privacy.
CCPA / CPRA (California): Compliant. We do not sell or share personal information. See /privacy.
Other US state privacy laws (CO, CT, VA, UT, TX, OR, MT, IA): Aligned. Same baseline rights honoured across all jurisdictions.
ADA Title III / WCAG 2.2 AA: We target this standard for our site and for every site we ship. See /accessibility.
CAN-SPAM: We do not send unsolicited bulk email. All commercial email includes a one-click unsubscribe and the registered postal address.
COPPA: Not applicable. We do not market to or knowingly collect data from anyone under 13 (16 in the EU).
PCI-DSS: Not applicable to this website (we do not accept payment here). Stripe handles client payments under PCI-DSS Level 1.
SOC 2: We follow the Trust Services Criteria; we are not currently audited. A self-assessment ACR is available to enterprise prospects under NDA.
HIPAA: Not applicable. We do not handle protected health information. If you would like a Business Associate Agreement for a future engagement, please raise it during SOW discussions.

§ 11

Security questionnaires

Enterprise security teams who need to complete a vendor security questionnaire (SIG, CAIQ, Whistic, custom) can email legal@emeraldstatic.com with the questionnaire attached. We aim to return completed responses within 5 business days.

We also publish a short security overview suitable for upload to vendor portals on request. Ask us for the latest version.

§ 12

Changes to this page

We update this page whenever a control, subprocessor, certification, or commitment changes. The version number and last-updated date at the top track each change. Subscribers to the studio newsletter, and active clients, are notified ahead of substantive changes.

EOF

EMERALD STATIC LLC
259 E Works St
Sheridan, WY 82801
hello@emeraldstatic.com · legal@emeraldstatic.com

DOC TRUSTSECURITY-v1.0 · LAST EDIT Jan 13, 2026 · TEMPLATE, NOT LEGAL ADVICE