Trust & Security.

Overview

SIERRA OAK LLC is a small, senior performance-marketing agency. We do not run our own data centres. We choose third-party platforms that meet SOC 2 Type II or ISO 27001, sign a Data Processing Agreement with every one of them, and apply the principle of least privilege to internal access.

Security principles we operate by

• Least privilege. Every operator gets the narrowest scope they need; access is reviewed quarterly.
• Defence in depth. Strong identity, strong device posture, strong network controls — no single layer is treated as load-bearing.
• Zero trust on vendors. A vendor's certification is the floor, not the ceiling. We still sign a DPA, still ask for a sub-processor list, still ask where data sits.
• Privacy by default. We collect only what we need, retain only as long as we need to, and delete on request unless legal-obligation exceptions apply (see Privacy Policy §6).
• Honest incident reporting. When something goes wrong, we tell affected parties promptly and explain what happened — the post-mortem matters more than the spin.

Where data lives

For this Site, brief submissions arrive over TLS to our hosting platform's edge, are emailed to the desk inbox, and are stored only inside our email provider. We do not maintain a separate marketing CRM for prospects on this Site.

For client engagements, data flows are documented in the engagement's Data Processing Agreement. As a rule:

• Production media accounts (Google Ads, Meta, TikTok, etc.) remain owned by the client; we are granted role-based access only.
• Server-side tracking endpoints are deployed on infrastructure agreed with the client (typically Google Cloud, AWS, or the client's existing platform).
• Partner-portal data (Everflow, Impact, TUNE, Tipalti) sits on the vendor's platform under the client's tenant — we never export it to local files unless contractually required.

Access controls

• Single sign-on (SSO) is enforced on every internal application that supports it.
• Multi-factor authentication (MFA) is mandatory on email, identity provider, hosting platform, and every client-facing platform. Phishing-resistant MFA (WebAuthn / passkeys) is preferred.
• Joiner / Mover / Leaver process: access is granted on first day, modified on role change, revoked within four business hours of departure.
• Quarterly access review across all systems with privileged data.
• Administrative actions are logged; logs are retained for 90 days minimum.

Endpoints and identity

• Full-disk encryption (FileVault / BitLocker) is required on every employee endpoint.
• Automatic OS and browser security updates are enforced.
• A password manager (1Password or equivalent) is mandatory for any shared credential.
• No shared root or admin accounts. Personal accounts only, named to a human.

Network and transport

• TLS 1.2 or higher on all public endpoints; modern ciphers only; HSTS enabled on the Site.
• Hosting platform DDoS protection at the edge.
• No production data on personal devices outside identity-controlled tooling.
• Access to any client production system is via the client's own identity provider or a documented break-glass procedure.

Vendor due diligence

Before we route data through any vendor we expect:

• A current Data Processing Agreement that meets GDPR Article 28 and CPRA §1798.140(ag).
• A sub-processor list and a mechanism for objecting to new sub-processors.
• SOC 2 Type II, ISO 27001, or equivalent independent attestation, or — for smaller specialist vendors — a documented security overview we have reviewed.
• 2021 EU Standard Contractual Clauses with the UK Addendum, where applicable, plus a transfer impact assessment for non-adequacy destinations.
• A named security contact and a documented incident-notification commitment.

Secure development

• Source code is in a private Git repository with branch protection and required review on every change.
• Dependencies are pinned and monitored via the platform's automated advisory pipeline. We patch high-severity vulnerabilities within seven days where a patch is available.
• Secrets never enter source control; environment-variable injection is used at build and runtime.
• Static analysis and Next.js build-time type checking gate every deploy.
• No production deploy without a peer review.

Incident response

• Detect — alerts from the hosting platform, vendor advisories, internal review, or external responsible disclosure.
• Triage — incident commander (a senior operator) assigned within one business hour; scope, severity, and containment plan documented.
• Contain — rotate credentials, revoke tokens, isolate endpoints; preserve forensic evidence.
• Notify — affected clients, regulators, and individuals as required, by the timelines above.
• Recover — restore services from clean state.
• Learn — written post-mortem within ten business days; remediation items tracked to closure.

Backup, redundancy, business continuity

• The Site itself is a static build replicated across the hosting platform's edge network; the underlying code is version-controlled and reproducible from any clean machine.
• Email and document workspaces are backed up by the vendor with retention periods set per platform default.
• Client production tooling is hosted by the relevant vendor (Google, Meta, Everflow, etc.) — their continuity controls apply, and we do not interpose additional backups except where the client requires us to.
• Operator-level continuity: no single operator's absence stops a live client engagement. Runbook, credentials, and active context are recorded in shared documentation, with access governed as described in Section 4.

Frameworks we map to

We do not claim certification we do not hold. We do map our internal controls to the relevant guidance from:

• NIST CSF 2.0 — five functions: Identify, Protect, Detect, Respond, Recover.
• CIS Controls v8 (Implementation Group 1 and 2) — basic and foundational controls.
• GDPR / UK GDPR — Articles 5, 25, 28, 32, 33, 34, 35.
• CPRA — §1798.140 service-provider duties, §1798.100(e) reasonable security.
• HIPAA — we do not hold a HIPAA BAA at company level and do not handle PHI for clients. Health-vertical engagements are scoped to exclude identifiable patient data.

Subprocessor list (Site only)

The following subprocessors are involved in operating this Site and the desk inbox. For client engagement subprocessors, see the engagement's DPA appendix.

We will give thirty (30) days' notice (where contractually possible) before introducing a new subprocessor that processes client data. Clients with active engagements may object, in which case we will work in good faith to find an alternative.

Responsible disclosure

We commit to:

• Acknowledge receipt within two business days.
• Investigate every report in good faith.
• Keep you updated on remediation.
• Not take legal action against researchers who act in good faith, do not access data beyond what is necessary to demonstrate the issue, and follow the rules below.

Rules of engagement. Do not run automated scans that produce material traffic, do not test against any subdomain hosting client production data, do not exfiltrate or modify data, do not disclose publicly before we have remediated, and do not test issues that primarily affect third-party services we do not control.

For procurement teams

We are happy to fill in a security questionnaire (SIG, CAIQ, custom) for any active engagement of meaningful scale. Email us with the questionnaire attached. Turnaround is typically five business days.

For the engagement itself, expect to sign:

• Master Services Agreement (MSA)
• Data Processing Agreement (DPA) including 2021 SCCs and UK Addendum where required
• Mutual non-disclosure agreement (NDA) on request
• HIPAA Business Associate Agreement — declined: we do not handle PHI

Contact

Security questions, questionnaires, or coordinated disclosure: desk@sierraoakaffiliate.com (subject: "Security").

Last updated January 10, 2026.