Sevrak

Security Practices

Sevrak LLC is a security-first engineering firm aligned with industry best practices. This page summarizes our security posture for (1) Sevrak's internal operations and (2) client engagements, in a format intended to support vendor onboarding and security reviews.

This overview is designed to be accurate without disclosing sensitive security details. We may update this information over time without notice.

This page is provided for informational purposes only and does not form part of any contract. Contract terms (including any applicable DPA/SOW/MSA) control. When Sevrak performs services in client-managed environments, client controls and configurations govern those environments. We operate within agreed access boundaries and apply least-privilege access consistent with the engagement scope.

Security at a glance

Core principles

  • Security-first engineering and least-privilege access
  • Data minimization (we avoid collecting or retaining data we don't need)
  • Defense-in-depth across identity, endpoints, and development workflows
  • Confidentiality-first engagement model for client work

High-level control set

  • Written security policies and periodic security awareness training
  • MFA and strong authentication standards
  • Company-managed endpoints with endpoint protection
  • Secure software development lifecycle (SDLC) with code review and automated scanning
  • Incident response planning and customer notification practices

Governance and security program

  • Acceptable use
  • Access control and least privilege
  • Authentication (including MFA)
  • Data classification and handling
  • Encryption
  • Secure development lifecycle and change management
  • Incident response
  • Vendor risk management
  • Security awareness training: performed on a periodic basis
  • Risk assessments: performed on a periodic basis and as-needed
  • Asset inventory: maintained for devices and key services
  • Data flow documentation: maintained to support secure client engagements and reviews

Identity and access management

  • Multi-factor authentication (MFA) is required for critical systems, including email, source control, cloud platforms, and our password manager.
  • Password standards: we require MFA and strong passwords and prohibit reused or compromised passwords.
  • Role-based access control (RBAC) is used where available.
  • Least privilege is enforced by default.
  • Shared accounts are prohibited.
  • Access reviews are performed on a periodic basis.
  • Development workflows use separation of environments (e.g., dev/staging/production) where applicable.

Endpoint, device, and physical security

  • We require access to corporate systems to occur from company-managed endpoints.
  • Full disk encryption
  • Screen lock and inactivity timeouts
  • Host firewall enabled
  • Anti-malware / endpoint detection and response (EDR)
  • Centralized device management and policy enforcement
  • Operating system and application updates are managed and applied on a defined schedule, with accelerated timelines for critical security issues.
  • Removable media use is restricted for company-managed endpoints.
  • We maintain a security policy requiring use of approved secure connectivity methods (e.g., VPN where required by policy) when traveling or using public Wi-Fi.
  • Work is performed from home offices with reasonable physical safeguards appropriate for professional services.

Network, infrastructure, and website security

  • Our public website is protected using industry-standard security controls for web application protection and abuse prevention (e.g., bot mitigation and DDoS protection).
  • For applications we build and operate, we use reputable cloud infrastructure and standard cloud security controls (e.g., identity access controls, secure configuration, and logging) appropriate to the system's risk profile.
  • TLS/HTTPS is enforced for the Site and for systems we operate.
  • For systems we operate, we implement logging and monitoring appropriate to risk to help detect suspicious activity and support incident investigation.
  • Where applicable for systems we operate, we implement backup and recovery practices, and we validate restore procedures on a periodic basis.

Secure software development

  • Secure coding guidelines and security requirements are incorporated into delivery workflows.
  • Threat modeling is performed for relevant systems and features.
  • Code changes are reviewed via pull requests.
  • Branch protections are enforced.
  • Dependency pinning/lockfiles are used where applicable.
  • Dependency vulnerability scanning is enabled.
  • Static analysis (SAST) and secret scanning are used to help detect issues early.
  • CI/CD secrets are managed using protected mechanisms appropriate to the platform.
  • We use a risk-based remediation approach and prioritize issues based on severity, exploitability, and system criticality, considering compensating controls where applicable.
  • For systems we operate in production, we perform penetration testing and/or independent security reviews appropriate to maturity and risk.

Client engagement security and data handling

  • We prefer client data to remain in client-managed environments whenever feasible.
  • We access systems and data only as necessary to perform the agreed scope of work.
  • Client data access is limited to authorized personnel on a need-to-know basis.
  • We use separate project workspaces and access boundaries where applicable.
  • Data is protected in transit via encrypted channels.
  • If storage is required for an engagement, encryption at rest and access controls are used.
  • We support US-only handling expectations when required by the client.
  • We retain client data only as long as needed for the engagement and legal obligations.
  • We delete client data upon request where contractually and legally permitted.
  • We do not use client data to train AI/ML models.
  • If subcontractors are used, we require appropriate confidentiality and security obligations, and we limit access to what is necessary for the work.

Vendor and subprocessor management

  • Vendors are assessed before adoption based on risk and business need.
  • We prefer vendors with strong security programs (e.g., SOC 2 / ISO-aligned practices where applicable).
  • Data processing terms (such as DPAs) are used where appropriate.
  • Vendor access to personal or confidential information is restricted to the minimum necessary.
  • Vendors are reviewed periodically, and changes are managed through change control practices.

Incident response and notification

  • Documented incident response procedures exist for triage, containment, eradication, recovery, and post-incident review.
  • We use a combination of platform security controls and alerting to identify suspicious activity and security-relevant events.
  • For client-impacting incidents involving client data, we commit to notifying clients without undue delay and in accordance with contractual and legal requirements.

Compliance and attestations

  • Independent audits/attestations (e.g., SOC 2): We are not currently certified.
  • We can support customer security reviews and provide relevant documentation and evidence under NDA, as appropriate to a specific engagement.

For security questionnaires and onboarding requests, contact: [email protected]

Acceptable security testing

  • We do not authorize security testing that degrades or disrupts services (e.g., denial-of-service testing). If you need to coordinate a security assessment for an engagement, contact [email protected] to discuss an approved scope and rules of engagement.

Responsible disclosure

  • If you believe you've discovered a security issue, contact us at [email protected]. Please provide a clear description of the issue and steps to reproduce it, and do not include sensitive data in your report.
Keep risk visible.
Tell us the environment and constraints - we'll propose a security-aware Discovery plan.
Talk to an engineer Start with Discovery