DefendMyRep
Take the 90-sec Audit Book Strategy Call
Security · Updated 2026-05-24

Security at DefendMyRep

We defend reputations for executives, regulated practices, and enterprises. The security of our systems is non-negotiable because client information moves through them every day. This page documents our controls.

1. Security posture

  • Access controls — least-privilege defaults for engagement work
  • Healthcare-aware workflows — sensitive healthcare matters are scoped with confidentiality and data-minimization controls
  • Privacy requests — access, correction, and deletion requests route through the published privacy contact
  • Control mapping — internal policies are reviewed against common security and privacy frameworks as the service matures

2. Encryption

  • TLS 1.3 in transit (HSTS preload, perfect forward secrecy)
  • AES-256-GCM at rest for all engagement data
  • Encrypted backups with separate key custody

3. Authentication & access

  • Mandatory MFA (WebAuthn / TOTP) for all personnel
  • SSO (SAML 2.0 / OIDC) for client portals (enterprise tier)
  • Role-based access control with least-privilege defaults
  • Quarterly access reviews
  • Just-in-time elevation for privileged ops

4. Network & infrastructure

  • Cloudflare WAF + Bot Management at the edge
  • Strict Content-Security-Policy with `frame-ancestors 'none'`
  • Cross-Origin-Opener-Policy, Permissions-Policy hardening
  • Continuous secrets scanning across code and infrastructure
  • Centralized logging with tamper-evident retention

5. Application security

  • SAST + DAST in CI/CD
  • Dependency scanning with severity-based block gates
  • Security review before major production changes
  • Responsible disclosure program (see below)

6. People security

  • Background check before role assignment
  • Annual security awareness training
  • Phishing simulations quarterly
  • Confidentiality agreements with surviving obligations

7. Incident response

  • Documented IR plan tested twice annually
  • 60-minute internal notification window
  • Client notification within contractual SLA (typically 24 hours for confirmed material incidents)
  • Post-incident review with root-cause analysis shared in writing

8. Sub-processors

Current sub-processors with access to client data:

  • Cloudflare, Inc. — edge, hosting, WAF (US/EU)
  • Google Workspace — email, calendar (US)
  • Cal.com, Inc. — strategy-call scheduling (US/EU)
  • Resend, Inc. — transactional email (US)

Updates to this list are posted with 30 days' notice to active clients.

9. Responsible disclosure

We welcome reports from independent security researchers. Submit findings to security@defendmyrep.com with a clear PoC. We commit to:

  • Acknowledgment within 48 hours
  • Initial assessment within 5 business days
  • Remediation timeline communicated in good faith
  • No legal action against good-faith researchers operating within scope

Scope: *.defendmyrep.com and the public CF Pages deployment. Out of scope: third-party services, social-engineering attacks against personnel, denial-of-service tests.

10. Contact

Security inquiries: security@defendmyrep.com
PGP key: /.well-known/security.txt