/* VALDEX — Trust & security */ const UPDATED_TR = "May 18, 2026"; function TrustPage() { return (

This page describes how VALDEX LLC protects the data clients entrust to us during an engagement — the credentials, analytics access, customer lists, and content we touch when doing the work. It is written for buyers doing vendor due diligence and for our own engineers, so it has the specific details on both sides.

We are a small firm. We are not SOC 2 certified at the time of this writing. We don't pretend otherwise. The trade we offer is small-team rigor and transparency rather than auditor-stamped paperwork. The section on{" "} roadmap describes where we are heading.

} sections={[ { id: "summary", h: "1. At a glance", body: (

Control area	Current state
Transport encryption	HTTPS/TLS 1.2+ everywhere; HSTS enabled on valdexai.com
Data at rest	Provider-level AES-256 (Google Workspace, Stripe, 1Password); no self-hosted database holds personal data
Identity & access	SSO via Google Workspace; mandatory hardware-key (YubiKey) second factor for every employee; quarterly access reviews
Credentials	1Password Business; no shared logins; client credentials siloed per engagement
Endpoint security	Full-disk encryption, automatic OS updates, screen lock, malware protection on every workstation
Vendor / subprocessor management	Written subprocessor list at /subprocessors; new vendors reviewed against this policy before onboarding
Logging & monitoring	Server logs 30 days; access to client workspaces audited via Google Workspace admin logs (retained per Google policy)
Incident response	Documented runbook (Section 5); 72-hour regulator notification commitment; client notification without undue delay
Backups	Provider-native (Google Workspace, Stripe). Engagement workspaces are reproducible from source; we do not keep separate backup copies of client data outside the workspace
Business continuity	Three named principals; documented operating runbook; no single-point-of-failure dependencies for active engagements
Certifications	None at this time. SOC 2 Type I scheduled for Q1 2027 (see roadmap)

)}, { id: "encryption", h: "2. Encryption", body: (

In transit

All traffic to valdexai.com is HTTPS. We enforce TLS 1.2 minimum (most connections negotiate TLS 1.3), modern cipher suites, and HSTS with a one-year max-age. The site scores A+ on Qualys SSL Labs at the time of this revision.

Communication with client systems (analytics platforms, ad accounts, CMS instances) is HTTPS by default; we do not transit unencrypted connections. Email between Valdex and clients is encrypted in transit when both sides support TLS (the standard for Google Workspace ↔ Google Workspace, Office 365, and most modern providers).

At rest

Client data lives in Google Workspace (Drive, Gmail, Calendar) and the specific platforms a client has authorized us to access. Each of these providers encrypts data at rest with AES-256 or equivalent. We do not run our own database that holds personal data.

Credentials are stored in 1Password Business with end-to-end encryption. The secret key never leaves the user's device unencrypted.

Key management

We rely on our providers' managed key infrastructure. Where customer-managed encryption keys (CMEK) are available and a client requires them, we will configure them — at the client's cost.

)}, { id: "access", h: "3. Identity, access, and personnel", body: (

Identity

Every employee account is provisioned through Google Workspace and protected by a hardware security key (YubiKey 5) as the second factor. We do not use SMS as a 2FA factor. We disallow personal device sign-in unless that device is enrolled in our endpoint management profile.

Least privilege

Access to a client workspace, ad account, or analytics property is granted only to the engagement principals working on that client and is removed on termination or role change. We do not maintain "global admin" access to any client system we don't actively use that week.

Personnel

At the time of this revision we are three principals plus a small number of contractors engaged for specific deliverables. All personnel sign a confidentiality and IP-assignment agreement before access is granted. Contractors are bound by an NDA at least as strict as the one in our{" "} terms of engagement, §8 (confidentiality). Background checks are not yet a documented process; we will adopt one before we exceed ten people.

Termination

On a personnel departure, all access (Workspace, 1Password vaults, client platforms) is revoked the same day. Departing personnel hand back any hardware, and any shared credentials they had access to are rotated within 48 hours.

)}, { id: "data", h: "4. Data handling during engagements", body: (

Where client data lives

An engagement workspace is a folder inside our Google Workspace, scoped to the principals on the engagement. It contains the engagement charter, status notes, deliverables, and any data the client has shared with us (audience exports, content drafts, analytics extracts).

We do not retain copies of client data on personal devices, in personal email, in personal cloud accounts, in any AI training pipeline, or in any system outside the engagement workspace.

What we do not do with client data

We do not use client data to train models — ours, our clients', or anyone else's.
We do not sell or share client data with any third party.
We do not use client data for our own marketing without written approval (see terms §11).
We do not retain client data outside the contractual records required by tax and contract law (see privacy notice §6).

Deletion on termination

Within 30 days of an engagement ending, we delete the engagement workspace, remove our access to all client systems, and confirm deletion in writing. Records that must be retained for legal or tax reasons (signed contracts, invoices) are kept for 7 years and then irrecoverably deleted.

)}, { id: "incident", h: "5. Incident response", body: (

We maintain an internal incident-response runbook covering detection, containment, eradication, notification, and post-mortem. The runbook is reviewed annually and after every exercise or real event.

Notification commitments

Affected clients: notified without undue delay after we confirm an incident affects their data, and in any case within 72 hours. We will share what we know, what we don't know, and what we are doing.
EU/UK regulators: where GDPR Article 33 applies (we are a processor for the client), we notify the controller without undue delay so they can meet their 72-hour obligation.
California residents: notification per Cal. Civ. Code § 1798.82.
Other state regulators: we follow the strictest applicable state breach-notification law where multiple apply.

What "incident" means here

An incident is any confirmed or reasonably suspected event that compromises the confidentiality, integrity, or availability of client data — an unauthorized access, a misconfigured share, a lost or stolen device, a compromised credential, a vendor breach affecting us, a successful phishing attempt against an employee with access to client systems. We treat near- misses as learning events even when they do not trigger notification.

Reporting an incident to us

If you believe you've discovered a security issue with this site or with our practice, email{" "} security@valdexai.com. We acknowledge within 1 business day and will keep you updated through resolution. Section 8 below describes our vulnerability-disclosure expectations and safe-harbor.

)}, { id: "vendors", h: "6. Subprocessors and vendor risk", body: (

The current list of subprocessors — the providers we use to run the business — lives at /subprocessors. Adding a new subprocessor requires the same review as our initial vendor onboarding: evidence of security practice (SOC 2, ISO 27001, or equivalent), a written data-protection agreement, and a risk note in our vendor log. Clients are notified at least 30 days before a new subprocessor that processes their personal data is engaged, with an opportunity to object.

)}, { id: "businesscont", h: "7. Business continuity", body: (

We are a small firm with no single-server, single-database, or single-employee dependencies for active engagements. The risk profile that matters here is: the unavailability of a principal.

Every engagement has at least two named principals with active context.
Every status note, deliverable, and account credential lives in the engagement workspace, not in any one person's head or laptop.
The runbook for re-establishing access to a client system in a principal's absence is documented and tested annually.
If both engagement principals become unavailable, the managing principal can pick the engagement up within 5 business days using the engagement workspace alone.

)}, { id: "vulndisclosure", h: "8. Vulnerability disclosure", body: (

If you discover a security vulnerability affecting our website or infrastructure, we want to hear about it. We commit to:

Acknowledging your report within 1 business day.
Triaging and providing a substantive response within 10 business days.
Not pursuing legal action against good-faith security research that respects the rules of engagement below.
Crediting researchers in our disclosure post if they want credit.

Rules of engagement (safe-harbor)

You may, in good-faith research:

Test against your own accounts or accounts you have explicit permission to test.
Probe for vulnerabilities at a rate that does not degrade service for other users.
Demonstrate proof-of-concept without exfiltrating data beyond what is strictly necessary.

You may not:

Access, modify, or destroy data that does not belong to you.
Run automated scanners that materially degrade service.
Use social engineering against employees or contractors.
Engage in physical-security testing of our office or staff.
Disclose a vulnerability publicly before we have had a reasonable opportunity to fix it (we coordinate a disclosure window, typically 90 days).

Report to security@valdexai.com. Encrypt sensitive details if you can; ask for our PGP key in your first message and we will reply with it.

)}, { id: "dataretention", h: "9. Data retention", body: (

Specific retention periods are described in the{" "} privacy notice §6 (for personal data we process as a controller) and the DPA (for personal data we process on behalf of a client).

)}, { id: "compliance", h: "10. Compliance posture", body: (

GDPR / UK GDPR: structurally aligned. See privacy notice and DPA.
CCPA / CPRA: structurally aligned. We do not sell or share personal information; California rights honored at the same standard as everyone else.
HIPAA: we do not knowingly process Protected Health Information and do not enter into Business Associate Agreements. Clients in regulated healthcare should anonymize before sharing.
PCI-DSS: out of scope. Payment processing is offloaded to Stripe (PCI DSS Level 1). We never see or store card numbers.
SOC 2: not yet certified. Type I targeted for Q1 2027.
ISO 27001: not yet certified. Re-evaluated alongside SOC 2.

)}, { id: "roadmap", h: "11. Roadmap", body: (

What we know is missing today and when we plan to address it:

External penetration test of valdexai.com (Q3 2026).
Documented background-check policy for employees and contractors (Q3 2026).
SOC 2 Type I readiness — engaging an auditor (Q4 2026); Type I report (Q1 2027); Type II in scope after 6 months of evidence.
Formal accessibility audit of the website (Q4 2026).
Customer-managed encryption keys (CMEK) support for the engagement workspace where a client requires it (on demand).

Buyers who want a security questionnaire answered should email{" "} security@valdexai.com. We will respond honestly, including where the answer is "not yet."

)}, { id: "contact", h: "12. Contact", body: (

VALDEX LLC
Attn: Security
1309 Coffeen Ave, Ste 1200
Sheridan, WY 82801, United States
security@valdexai.com · (762) 760-1179

)}, ]} /> ); } ReactDOM.createRoot(document.getElementById("root")).render();