Greyfeld Partners handles sensitive business information for every client we serve. We take a proactive, defense-in-depth approach to security — not because a regulation requires it, but because protecting our clients' data is central to the trust that makes our work possible. Below is a transparent overview of the security practices we actually implement.
What We Implement
Encryption in Transit & at Rest
All data transmitted between our systems and yours is protected by TLS 1.3 encryption. Stored data uses AES-256 encryption. This is the same standard used by major financial institutions.
Access Controls
Client data is accessible only to team members assigned to that specific engagement. We enforce the principle of least privilege — no one has access to information they don't need for their work.
Secure Infrastructure
Our systems run on enterprise-grade cloud infrastructure with automated security patching, network isolation, and regular vulnerability scanning. We use reputable cloud providers that maintain SOC 2 and ISO 27001 certifications for their infrastructure.
NDA-Protected Engagements
Every engagement begins with a mutual Non-Disclosure Agreement. All team members and subcontractors sign individual confidentiality agreements. These obligations survive indefinitely after the engagement ends.
Secure Communications
Client communications are conducted through encrypted channels. Sensitive documents are shared via access-controlled platforms with audit trails — never through unencrypted email attachments or public file-sharing services.
Regulatory Alignment
Our data handling practices are designed to comply with the Brazilian LGPD and European GDPR. We maintain documented data processing procedures and respond promptly to data subject access requests.
A Note on Transparency
We believe in being honest about where we stand. Greyfeld Partners is a boutique consulting firm, not a large enterprise with a dedicated security operations center. We do not currently hold SOC 2, ISO 27001, or similar third-party certifications — and we won't claim to. What we do have is a rigorous set of practices, a culture of confidentiality built over decades of handling sensitive client information, and the commitment to continuously improve our security posture. If your organization requires specific certifications for vendor compliance, we're happy to discuss how our practices align with your requirements during the Fit Assessment.
Incident Response
In the unlikely event of a security incident affecting client data, we commit to: (1) notifying affected clients within 72 hours of discovery, (2) providing a clear description of the incident and data potentially affected, (3) taking immediate remediation steps, and (4) sharing a post-incident report with root cause analysis and preventive measures.
Security questions or concerns? [email protected]