Trust
Security Assurance Posture
Review the decision, evidence, boundaries, and next step for this route.
ForPeople conducting policy, privacy, security, or access review
FocusControls, ownership, evidence, and review paths
CONTROL RECORD
A policy names its scope, evidence state, limit, and correction path.
- 01Scope
- 02Owner
- 03Evidence state
- 04Review / correct
operating · no external assurance claim
Review security and data handling
Send a security question
Table — scroll horizontally to review every column.
| Area | Current state | Boundary |
|---|---|---|
| Public privacy, cookie, accessibility, and trust documentation | Documented for review | Policy text is not technical enforcement by itself |
| Local portal, authorization, audit, and data-boundary controls | Implemented and tested locally where recorded | Not a production deployment, client audit, or external attestation |
| Production hosting, identity, messaging, storage, monitoring, backups, and incident providers | Not approved | No production architecture or subprocessor claim |
| External penetration test and vulnerability assessment | Not performed | No result or remediation history claimed |
| SOC 2 / ISO certification or other assurance | Not held | No badge or equivalence claim |
| Client security and privacy review | Not performed | Must be scope-specific |
Report a suspected vulnerability or security issue to hello@itmodality.com with the affected public surface, safe reproduction detail, potential impact, and a way to respond. Do not access data that is not yours, disrupt service, test third parties, use social engineering, retain personal information, or publish exploitable detail before coordinated review.
Receipt, remediation, and disclosure timing follow the severity, evidence, and responsible operating owner. The report is triaged according to the issue and responsible operating capacity; urgent containment takes priority over public ceremony.
Security detail is public only when it helps diligence without exposing secrets, identities, configuration, or attack paths. Scope-specific evidence may be reviewed privately after identity, purpose, authority, sensitivity, and availability are confirmed. “Available under NDA” is used only for an artifact that actually exists.
Review production-access standards
Review subprocessors
Start procurement diligence