Security
Security & Data Handling
What data we touch, where it lives, how long we keep it, and our honest compliance status.
~3 min read
Data we touch during an engagement
During a typical engagement we may receive or generate the following:
- —Business process documentation you share with us (PDFs, slides, spreadsheets, SOPs)
- —Access credentials for the specific tools we are helping you assess or automate, scoped to the minimum required and revoked at engagement close
- —Sample datasets you provide for workflow testing; we request anonymized or synthetic data wherever possible
- —Notes, interview summaries, and deliverable drafts created during the engagement
We do not request access to customer PII databases, payment processing systems, or production environments unless the engagement specifically requires it, and only with your written authorization.
Where it lives
| Data type | Where it lives |
|---|---|
| Files you share | Transferred via encrypted channels (email TLS or shared folder you designate); working copies on consultant workstations encrypted at rest |
| Deliverables | Delivered to you and deleted from working storage within 30 days of engagement close |
| Lead form submissions | Sent via Resend (email API) to our inquiry inbox; no third-party CRM or marketing platform |
| Website analytics | Plausible Analytics: cookieless, no PII collected, data hosted in the EU by Plausible |
How long we keep it
- —Engagement working files: Deleted within 30 days of engagement close unless the engagement agreement specifies otherwise.
- —Lead inquiry records (name, email, message): Retained for 24 months. You may request deletion at any time at inquiry@xynergione.com.
- —Invoices and financial records: Retained for 7 years as required by U.S. tax law.
- —Website analytics: Plausible retains aggregate (non-PII) stats; no personal data is stored.
AI tools we use internally
We use AI tools in our work and are transparent about this because you deserve to know what your data touches.
Client data stays out of these tools. We do not paste client documents, credentials, or identifiable business records into any AI tool. We use them for general drafting, research, and code — never as a destination for your data.
| Tool | Purpose | Data shared |
|---|---|---|
| Claude (Anthropic) | Drafting, research synthesis, code review | No client documents or identifiable data |
| Codex (OpenAI) | Code generation and review | No client documents or identifiable data |
Sub-contractors
Currently: none. All engagement work is performed directly by XynergiOne. If a sub-contractor is engaged in the future, clients will be notified prior to any data being shared.
Incident response
If we discover a security incident affecting your data:
- 1We will notify you by email within 72 hours of discovering the incident.
- 2We will describe what data was involved, the likely cause, and the steps we are taking to contain it.
- 3We will provide a written incident summary within 7 days.
To report a concern: inquiry@xynergione.com
Compliance status
We are a small, focused security engineering team. Here is an honest accounting of where we stand:
What we have
- ✓This public security policy, reviewed quarterly
- ✓Encrypted-at-rest workstations
- ✓MFA on all tooling with access to client data
- ✓Principle of least privilege for credential access
What we don't hold yet
- –SOC 2 (Type I or II): No auditor-signed report
- –ISO 27001 certification: Not pursued yet
- –Formal WISP: This policy is the informal equivalent for now
We plan to begin a SOC 2 gap assessment once we have a stable client base that requires it. If compliance certification is a hard requirement for your vendor onboarding, please let us know — we can discuss compensating controls or timeline.
Last updated: 2026-04-27. This policy is reviewed quarterly. See also our Terms of Service and Privacy Policy.