SAVAGE PIXELTRUST & SECURITY

Trust & Security

LAST UPDATED
January 21, 2026
EFFECTIVE
January 21, 2026
REPORTING
info@savagepixelseo.com
BREACH NOTIFICATION
Within 72 hours
01 — OUR PHILOSOPHY

Our security philosophy.

Security is a property of an entire system, not a feature you bolt on at the end. Three principles guide everything we do:

  1. Minimum data, minimum retention. The most secure data is data we never collected and data we have already deleted. We collect the smallest amount of information needed for the job and we delete it when the job is done.
  2. Defense in depth. No single control is perfect. We layer encryption, access control, network controls, and operational practices so a failure in one does not compromise the whole.
  3. Vendor minimalism. Every additional vendor is a new attack surface. We use as few third-party services as we can, and we vet each one.
02 — COMPLIANCE POSTURE

Compliance posture.

Honest summary of where we stand against common compliance frameworks:

GDPR / UK GDPR
Compliant as a controller and as a processor. We sign DPAs and SCCs on request. See our Privacy Policy.
CCPA / CPRA
Compliant as a business and as a service provider. We do not sell or share personal information.
SOC 2
Not certified. Many SOC 2 control objectives are met by our practices, but we do not undertake the annual audit overhead.
ISO 27001
Not certified.
HIPAA (US healthcare)
We will sign a Business Associate Agreement for healthcare clients who require one, with appropriate scope limits. Discuss with us before any PHI is shared.
PCI-DSS
Out of scope. We do not store or transmit cardholder data. All payment processing is handled by Stripe.
03 — DATA HANDLING

How we handle your data.

The data we hold falls into three tiers, each with different handling requirements:

  • Public data: marketing content, published case studies, our own product information. No special handling.
  • Internal data: prospect inquiries, meeting notes, prospect emails, internal project plans. Stored in access-controlled systems, encrypted in transit.
  • Client data: credentials, source code, customer lists, analytics access, anything else shared during an engagement. Treated as confidential under our Terms of Service. Encrypted in transit and at rest. Access restricted to the named team members working on that engagement.

We do not store payment card data. We never ask clients for full credit card numbers. Payments are handled exclusively through Stripe's PCI-DSS Level 1 environment.

04 — ENCRYPTION

Encryption.

In transit.

All connections to savagepixelseo.com and to our internal tools use TLS 1.2 or higher with modern cipher suites. HSTS is enabled with a one-year max-age and includeSubDomains. We redirect all HTTP traffic to HTTPS at the edge.

At rest.

Client data stored with our sub-processors is encrypted at rest using AES-256 or stronger. This includes data stored in Vercel, Linear, Notion, Stripe, and Fastmail. Laptops used by our team have full-disk encryption enabled (FileVault / BitLocker).

Secrets & credentials.

Client credentials, API keys, deployment tokens, and similar secrets are stored in a vetted password manager with end-to-end encryption. We never email, paste, or commit secrets to source control. On engagement termination, credentials we created on your behalf are handed back and our copies are deleted.

05 — ACCESS CONTROLS

Access controls.

  • Two-factor authentication required. Every account on every system that touches client or visitor data has 2FA enabled. We prefer hardware keys (FIDO2) where supported and authenticator apps otherwise. SMS-based 2FA is not used for any production system.
  • Least privilege. Team members only receive access to the systems and the client engagements they actively work on. We use per-engagement access groups rather than blanket admin roles.
  • Single sign-on where available. Our internal tooling sits behind a single identity provider to centralize provisioning and deprovisioning.
  • Quarterly access review. Once a quarter we review every account that has access to client data and remove anything unused.
  • Immediate revocation. When a team member leaves or rotates off an engagement, their access is revoked the same day.
06 — SUB-PROCESSORS

Sub-processors.

A sub-processor is a third-party service that processes personal data on our behalf. This is the complete current list. Each one is bound by a written contract requiring confidentiality and GDPR-compliant data handling.

VERCEL INC. — USA
Hosting for savagepixelseo.com and client preview environments. Receives server logs and any data submitted through the website.
PLAUSIBLE INSIGHTS — EU
Cookieless website analytics for our marketing site. Receives aggregated page-view data only.
FASTMAIL PTY LTD — Australia/EU
Inbound and outbound email for our team mailboxes.
STRIPE INC. — USA
Payment processing. Receives billing information when you pay an invoice. Stripe is PCI-DSS Level 1 certified.
LINEAR ORBIT INC. — USA
Project management and team coordination. Receives client project data only during the engagement.
NOTION LABS INC. — USA
Internal documentation and proposals. Receives proposal drafts and project notes.
1PASSWORD — Canada
Secrets management. Stores client credentials and API keys with end-to-end encryption. 1Password does not have access to the contents of vaults.
GITHUB INC. (Microsoft) — USA
Source code hosting and version control. Client repositories are private and access-controlled.

We notify active clients at least 30 days before adding a new sub-processor that will handle their data, so you have time to object. If you have a reasonable objection, we will either find an alternative or you may terminate the engagement on notice.

07 — INCIDENT RESPONSE

Incident response & breach notification.

A security incident is any event that compromises, or reasonably could have compromised, the confidentiality, integrity, or availability of personal data or client data. Our incident response process is:

  1. Detect & contain. Whoever first observes the issue triggers our internal response. The affected systems are isolated to prevent further damage.
  2. Assess. We determine what data was involved, who was affected, how the incident occurred, and whether it is ongoing.
  3. Notify. Where personal data was involved and notification is legally required, we notify (a) the affected data subjects and clients without undue delay, and (b) the relevant supervisory authorities within 72 hours of becoming aware, per GDPR Article 33 and applicable US state breach-notification laws.
  4. Remediate. Fix the root cause, restore affected systems, and document the incident.
  5. Post-mortem. A blameless review of what happened, what worked, what did not, and what we will change. The summary is shared with affected clients.

If you become aware of a security incident affecting our systems or your data with us, email info@savagepixelseo.com with the subject "SECURITY INCIDENT" and we will respond within 4 business hours.

08 — VULNERABILITY DISCLOSURE

Responsible vulnerability disclosure.

If you discover a security vulnerability in savagepixelseo.com or in any of our publicly accessible systems, please report it to us privately first. We commit to:

  • Acknowledge your report within 2 business days.
  • Investigate and respond with a remediation plan within 10 business days.
  • Not pursue legal action against good-faith researchers who comply with this policy, do not exfiltrate data, do not disrupt service, and do not access data beyond what is necessary to demonstrate the vulnerability.
  • Credit you publicly in our security disclosures (if you want it).

We do not currently run a paid bug bounty program. Reports are received via email at info@savagepixelseo.com with the subject "SECURITY DISCLOSURE". Please include steps to reproduce, your assessment of impact, and any supporting material.

Out of scope: social engineering of our team members, denial-of-service testing, physical attacks against our office, third-party services we use (please report those to the vendor directly), and findings limited to outdated software versions without a demonstrated exploit.

09 — BACKUPS & CONTINUITY

Backups & business continuity.

Client websites we host run on Vercel's globally distributed edge network, which provides automatic failover, regional redundancy, and 99.99% uptime SLA on the hosting layer. Production deployments are immutable; rolling back to a previous build is a single command.

Source code lives in GitHub repositories with full version history. Database snapshots for client-managed CMS instances are taken daily and retained for 30 days, encrypted at rest.

We maintain a documented continuity plan covering loss of key personnel, loss of a primary sub-processor, and extended outage of our office. The plan is reviewed annually.

10 — SECURE DEVELOPMENT

Secure development practices.

  • Code review. Every change to a client codebase is reviewed by a second team member before merge to the main branch.
  • Automated dependency scanning. GitHub Dependabot watches every repository for known vulnerabilities in third-party packages. Critical and high-severity advisories are patched within 7 days.
  • Secrets scanning. Automated scans for committed secrets on every push. Anything detected is rotated immediately.
  • Content Security Policy. Production client sites ship with a strict CSP and other modern security headers (HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy).
  • Accessibility & privacy by design. We treat both as functional requirements, not afterthoughts.
11 — REPORT A CONCERN

Report a concern.

To report a security or trust concern:

EMAIL
info@savagepixelseo.com
SUBJECT LINE
"SECURITY INCIDENT" or "SECURITY DISCLOSURE"
ACKNOWLEDGEMENT
Within 2 business days.
PHONE
+1 (912) 915-2590

For privacy-specific concerns, see our Privacy Policy. For the terms governing our services, see our Terms of Service.