Security and
compliance.
How the firm holds sensitive information, the standards we measure ourselves against, and the channels available when something goes wrong.
All data encrypted at rest and in transit. Per-engagement key isolation. Sovereign on-premise deployment available for qualifying clients.
Role-based access with mandatory two-factor authentication on every privileged operation. Row-level security on every record.
Immutable audit log on every operator action. Reviewable by counsel and successors. Retention per engagement terms.
Vulnerability disclosure policy at /.well-known/security.txt. Responsible-disclosure program for security researchers.
Status updated as cycles complete. Certifications are confirmed by the issuing body, not by the firm.
Report a security issue.
If you believe you have found a security issue affecting our surfaces or systems, follow the responsible-disclosure policy. Reports are read by a named member of the firm and acknowledged within one business day.