Book a call

Security & Privacy - How client data is handled

persona.how handles client identity systems, credentials, and configuration data. This page describes exactly how that data is handled, stored, and disposed of.

NDA and confidentiality

Every engagement starts with a mutual NDA — yours or ours, signed before we see anything. Client information is confidential whether or not an NDA is in place. We do not use client names, details, or work products in marketing without written permission.

Credential handling

Credentials go into 1Password, get used, and get deleted. That is the entire lifecycle. No plaintext files, no emails, no chat messages, no documents with passwords in them. If a credential may have been exposed, it gets rotated immediately — not investigated first, rotated first.

All access to client environments is logged. At engagement closeout, you get a summary of every action taken in your systems.

Device and access hygiene

  • MFA everywhere Hardware keys where possible, TOTP where not. SMS is not used as a second factor — SIM swap attacks are cheap and effective.
  • Encrypted storage FileVault on all devices. If a laptop gets stolen, the data on it is unreadable.
  • Auto-lock Five-minute screen lock. The kind of thing that is embarrassing to list but worse to skip.
  • Network isolation No client work on public WiFi without a VPN. Client work runs in a separate browser profile from everything else.
  • Patching Security patches within 48 hours. Everything else within a week. This is the one control that stops the most attacks with the least effort.
  • Passwords 1Password for everything. No reuse, no shared credentials, no exceptions.

Data handling and retention

Client data is classified by sensitivity and retained only as long as necessary. Default retention periods:

Client credentials
Deleted immediately after use. Never persisted beyond the active task.
Client confidential data
Deleted at end of engagement plus 30 days. Overwritten or cryptographically destroyed.
Work product
Archived for one year per contract terms, then securely deleted.
Contracts and financials
Retained for seven years per tax requirements. Securely archived.

Client data is stored in project-specific directories, never mixed across clients. All storage is encrypted at rest and in transit. Client production data is never copied to persona.how systems. Work happens in your environment or with sanitized data.

Subcontractor policy

All work is performed directly by persona.how. No subcontractors. Identity work requires deep context on your environment — the kind that gets lost when you hand it to someone two degrees removed.

AI agent usage

persona.how uses AI agents for drafting, code generation, research, and analysis. This is stated in every SOW and MSA. If you have concerns about AI usage in your engagement, we address them before signing.

Agents are useful for drafting and analysis. They will also invent configuration details that look right but are not, and agree to scope they cannot deliver. These guardrails exist because we learned where the failure modes are:

  • Communication Agents do not send emails or messages to clients. Everything a client sees has been read by a human first.
  • Commitments Agents do not agree to scope, timeline, or price. They will confidently agree to things that are not possible — only the practitioner makes commitments.
  • Production access Agents do not touch production environments on their own. Every action against a live system gets explicit, per-task approval with a written record.
  • Credentials Agents do not store or persist client credentials. Credentials are used in the moment and discarded.
  • Deliverables Every agent-generated deliverable gets reviewed by a human before it reaches a client. Agents produce useful drafts. They also produce confident nonsense. The review catches both.
  • Prompt hygiene No client credentials, API tokens, secrets, or PII in prompts. Architecture details get sanitized before use. The risk is not the agent leaking data — it is the data persisting in a training pipeline.

Incident reporting

If a security incident occurs (credential exposure, data breach, unauthorized access) persona.how contains the exposure first, then assesses scope and notifies affected clients within 4 hours of confirmation. Remediation and a written post-incident report follow within 48 hours.

The notification covers the incident itself, scope of affected data, and actions taken. It also states what happens next.

To report a security concern, contact [email protected] directly.

Insurance and legal

persona.how carries professional liability (E&O) and cyber liability insurance. Coverage details, certificates of insurance, and W-9 are provided during the contracting process. Contact [email protected] if you need these before an intro call.

Specific questions about how this applies to your engagement? Ask directly.