Trust signals, written down.
Procurement teams ask the same questions. This page answers them directly: compliance status, data handling, insurance, vendor due diligence, and the customer commitments we make on every engagement.
Status, not aspirations.
Each item below carries a current status. Documentation for any item is available under NDA on request; milestones are published as programs reach them.
Type I report available under NDA on request. Type II audit underway; report will be published when issued.
Engagements report findings against OWASP ASVS L1/L2/L3 mappings where the scope warrants.
All engagements map findings against the Enterprise ATT&CK matrix.
What happens to your data during and after an engagement.
Engagement work touches sensitive material. Below is how we handle credentials, evidence, retention, and incidental discoveries. A complete data-handling policy is available under NDA.
Engagement-evidence retention
Raw evidence artifacts (commands, responses, captures) are retained for the agreed audit window — typically ninety days post-engagement, longer where customer audit requirements specify. Customer-derived data is purged at end of retention unless the engagement agreement specifies otherwise.
Credential handling
Customer-provided credentials are stored in encrypted, scope-bounded vaults per engagement. Credentials are not reused across engagements and are revoked or expired at engagement close.
Hard-guardrail scope enforcement
Out-of-scope assets are encoded as hard guardrails before kickoff. The agent refuses out-of-scope actions; operator-driven steps require explicit re-confirmation when they approach scope boundaries.
Disclosure of incidental discoveries
If engagement work surfaces evidence of pre-existing compromise, third-party exposure, or other issues outside the scope, we flag immediately and consult with your single point of contact (SPOC) before any further action.
The promises we make on every engagement.
We do not exceed the authorized perimeter.
Engagement work is bounded by the engagement agreement. Out-of-scope assets are enforced by the agent and by operator review on manually driven steps.
Destructive actions require human approval.
Actions that would meaningfully affect production state require explicit operator approval regardless of operator mode. The agent does not execute destructive operations unattended.
You can stop the engagement, for any reason.
You retain access to all findings produced up to the halt point. We issue an abbreviated report covering work performed. No penalty for halting.
Every finding traces back to the action that produced it.
The portal preserves the command, the response, and the artifact for each finding. Evidence remains accessible to your team for the duration of the audit window.
Paperwork your procurement team will ask for.
The standard procurement requirements, answered upfront so your security and legal teams can move quickly. Anything listed below is available on request during scoping.
NDAs
Mutual NDA available on request; signed during or before the scoping conversation. Section 31 also signs customer-template NDAs without redline in most cases.
Security questionnaires
Standard responses to SIG, CAIQ, and most enterprise security questionnaires available on request. Custom questionnaires answered during procurement.
Insurance
Professional liability and cyber-liability insurance carried. Certificates of insurance available on request.
Engagement agreement
Standard engagement agreement covers scope, deliverables, guardrails, liability, and intellectual property handling. Available for review during scoping. Customer-template Master Service Agreements (MSAs) accepted with standard redlines.
Need our procurement packet?
Compliance documentation, insurance certificates, security questionnaire responses, and policy documents are available under NDA. Most responses turn around within one business day.