Data Handling
- Encryption at Rest — All client data, reports, and evidence are stored on encrypted volumes (AES-256). No client data is stored on portable media.
- Encryption in Transit — All file transfers use TLS 1.2+ or encrypted file sharing. We never send findings or evidence via unencrypted email.
- Access Control — Client data is accessible only to the engagement lead assigned to your project. No shared drives, no third-party access without written authorization.
- Retention — Engagement data is retained for 12 months after project completion, then securely deleted. You can request early deletion at any time.
- Subcontractors — RMA does not subcontract client work unless explicitly agreed in writing. All testing and reporting is performed by the engagement lead.
Testing Safety
- Written Authorization — No testing begins without a signed Statement of Work and Rules of Engagement document specifying exact scope boundaries.
- Scope Controls — Testing is strictly limited to authorized assets. Out-of-scope systems are documented and excluded.
- Emergency Stop — Every engagement includes an emergency contact procedure. Testing can be halted immediately at your request.
- No Destructive Testing — We do not perform denial-of-service testing or use destructive exploits unless explicitly authorized in writing with safeguards.
- Testing Windows — We coordinate testing schedules with your team to avoid disruption to business operations.
Tooling
We use industry-standard, commercially available tools. High-level tooling is disclosed in our methodology section. We do not install persistent agents or software on your systems without written approval. Any temporary tools deployed during testing are removed and documented.
Reporting & Evidence
- Report Delivery — Final reports are delivered via encrypted file share with access controls. We do not email reports as unencrypted attachments.
- Evidence Handling — Screenshots and log excerpts are redacted to show only what's necessary to demonstrate the finding. Raw exploit output is sanitized.
- Your Data — You own all deliverables. Reports, scripts, and remediation materials are yours to keep, share internally, or provide to auditors.
Mutual NDA
We execute a mutual NDA before any technical discussion or scope review. This protects both parties and sets clear expectations about information handling before any sensitive details are shared.
Questions
If you have specific vendor security requirements or need to submit a security questionnaire, contact us at contact@rmasecurity.com. We're happy to complete vendor intake forms and provide documentation.