Skip to main content

Trust

Security Assurance Posture

Review the decision, evidence, boundaries, and next step for this route.

ForPeople conducting policy, privacy, security, or access review

FocusControls, ownership, evidence, and review paths

CONTROL RECORD

A policy names its scope, evidence state, limit, and correction path.

  1. 01Scope
  2. 02Owner
  3. 03Evidence state
  4. 04Review / correct
A published policy does not become technical enforcement or external assurance by itself.

operating · no external assurance claim

Review security and data handling
Send a security question

Table — scroll horizontally to review every column.

AreaCurrent stateBoundary
Public privacy, cookie, accessibility, and trust documentationDocumented for reviewPolicy text is not technical enforcement by itself
Local portal, authorization, audit, and data-boundary controlsImplemented and tested locally where recordedNot a production deployment, client audit, or external attestation
Production hosting, identity, messaging, storage, monitoring, backups, and incident providersNot approvedNo production architecture or subprocessor claim
External penetration test and vulnerability assessmentNot performedNo result or remediation history claimed
SOC 2 / ISO certification or other assuranceNot heldNo badge or equivalence claim
Client security and privacy reviewNot performedMust be scope-specific

Report a suspected vulnerability or security issue to hello@itmodality.com with the affected public surface, safe reproduction detail, potential impact, and a way to respond. Do not access data that is not yours, disrupt service, test third parties, use social engineering, retain personal information, or publish exploitable detail before coordinated review.

Receipt, remediation, and disclosure timing follow the severity, evidence, and responsible operating owner. The report is triaged according to the issue and responsible operating capacity; urgent containment takes priority over public ceremony.

Security detail is public only when it helps diligence without exposing secrets, identities, configuration, or attack paths. Scope-specific evidence may be reviewed privately after identity, purpose, authority, sensitivity, and availability are confirmed. “Available under NDA” is used only for an artifact that actually exists.

Review production-access standards
Review subprocessors
Start procurement diligence