Talk to us
Security & trust

Built to survive procurement review.

A plain-English summary of how we handle data, who has access, where things run, and what we’ll sign before kickoff. Designed to answer the questions your IT and legal teams ask before you can sign an SOW.

Data handling

We collect only the data needed to deliver the rebuild: your existing site content, capability documents you send us, and the contact info on your finished site.

  • No PII collected without an explicit need
  • Data retained only for the engagement + 90-day measurement window
  • Customer data never used to train third-party models

Infrastructure

The Anvil76 stack and customer sites are deployed on SOC-2 Type II infrastructure (Vercel + AWS-backed). All traffic is HTTPS. Secrets are never committed to source control.

  • HTTPS everywhere, HSTS preload-eligible
  • Secrets in vendor-managed secret stores
  • Daily off-site backups of project assets

Access & auth

Single-tenant accounts. SSO available for enterprise engagements. Access is least-privilege and reviewed at every project transition.

  • 2FA required for every team member
  • SSO (Google/Microsoft) for enterprise customers
  • Project-scoped credentials, rotated on handoff
Subprocessors

Who’s in the picture, and what they do.

A short, honest list. We’ll keep this current and we’ll notify customers when it changes.

Vendor Purpose Data shared
Vercel Hosting & edge delivery for customer sites Site content, anonymised analytics
Cloudflare DNS & DDoS mitigation (where customer opts in) DNS records, IP-level traffic logs
Anthropic / OpenAI Copy generation tooling (opt-in per engagement) Public capability copy only; no PII
Google Workspace Internal email & document collaboration Project correspondence
Stripe Payments (when applicable) Billing contact, invoice line items
Process & paperwork

What we’ll sign and how we’ll respond.

DPA on request

Standard data processing agreement available before kickoff. We’ll also countersign your DPA if you have one.

Mutual NDA

We sign mutual NDAs at the start of discovery so your capability docs, customer list, and pricing stay private.

Incident response

If a security incident touches customer data, we notify affected customers within 72 hours with scope, impact, and remediation steps.

Need our full vendor diligence packet (SIG-Lite, security questionnaire, insurance certificates)? Email hello@anvil76.com with “Security packet” in the subject and we’ll have it back within one business day.

Run the first audit now.

Enter a URL and get a real scored report from our 14-point website inspection. We use this as the baseline before any guarantee is written into the SOW.