Trust Center

We Practice WhatWe Preach

A security consultancy that doesn't secure itself has no business advising others. Here's how we protect your data and ours.

Our Security Commitments

The same standards we hold our clients to, applied to our own operations.

Data Protection

  • All client data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • Strict data classification and handling procedures for all engagement materials
  • Client data retention policies with defined destruction timelines
  • No client data used for training, marketing, or any purpose beyond the engagement scope

Access Controls

  • Principle of least privilege enforced across all systems and engagements
  • Multi-factor authentication required for all internal systems
  • Role-based access control with regular access reviews
  • Dedicated, isolated environments per client engagement

Infrastructure Security

  • US-based cloud infrastructure with SOC 2 Type II certified providers
  • Automated vulnerability scanning and patch management
  • Network segmentation between internal operations and client environments
  • Immutable audit logs for all administrative actions

Transparency & Accountability

  • Clear scope definitions and data handling agreements before every engagement
  • Incident notification within 24 hours of confirmed breach
  • Regular internal security assessments using the same methodology we apply to clients
  • Named security contact for every active engagement

Compliance & Frameworks

We align our internal practices with the frameworks we implement for clients.

NIST CSF
Cybersecurity Framework alignment
ISO 27001
Information security management
SOC 2
Trust services criteria
OWASP
Application security standards
CIS Controls
Critical security controls
HIPAA
Healthcare data protection
PCI DSS
Payment card security
FFIEC
Financial institution examination

AI & Automation Governance

We use AI and automation in our own operations and hold ourselves to the same governance standards we design for clients.

Every automated system operates with defined guardrails, separation of duties, behavioral monitoring, and human oversight. No autonomous action without accountability.

Human-in-the-Loop

Critical decisions require human review. Automated systems escalate rather than assume authority beyond their defined scope.

Audit Trails

Every automated action is logged with context, rationale, and the ability to trace decisions back to their originating rules or models.

Graceful Degradation

Systems are designed to fail safely. When automation encounters uncertainty, it pauses and alerts rather than proceeding with best-guess behavior.

Responsible Disclosure

If you discover a security vulnerability in any Phenom Security system, we want to hear about it. We commit to:

  • Acknowledging receipt of your report within 48 hours
  • Providing an initial assessment within 5 business days
  • Keeping you informed of remediation progress
  • Not pursuing legal action against good-faith security researchers

Report vulnerabilities to security@phenomsec.com

Questions About Our Practices?

We're happy to discuss our security practices, provide additional detail for vendor assessments, or answer specific compliance questions.

Contact Us