1. Our Commitment

SecurityAndTrust.io is operated by S&T Solutions LLC, a fractional vCISO and cybersecurity advisory firm. We believe that credibility in this industry starts with accountability. The controls described here are the ones we actually run — not aspirational statements.

This document is reviewed and updated whenever meaningful infrastructure or operational changes are made.

2. Website Infrastructure

The SecurityAndTrust.io website is a static site hosted on Amazon Web Services (AWS). The infrastructure is designed with defense-in-depth and follows AWS security best practices:

  • S3 Origin Access Control (OAC) — the S3 bucket is not publicly accessible. Only our CloudFront distribution can read content, enforced via OAC and an IAM condition policy. Block Public Access is enabled on all four settings.
  • HTTPS-only delivery — all HTTP traffic is permanently redirected to HTTPS at the CloudFront layer. There is no plaintext content delivery path.
  • TLS 1.2 minimum — CloudFront is configured with the TLSv1.2_2021 security policy. TLS 1.0 and 1.1 are not accepted.
  • CloudFront Function hardening — a viewer-request function enforces clean URL routing, preventing directory traversal patterns from reaching S3.
  • No server-side execution — the site is a static HTML deployment. There is no web application server, CMS, or database exposed to the internet.

3. Email Infrastructure

Outbound email from @securityandtrust.io addresses is sent exclusively via Amazon Simple Email Service (SES). Our email domain is hardened against spoofing and phishing:

  • SPF — a Sender Policy Framework record is published, authorizing only AWS SES to send on behalf of the domain.
  • DKIM — DomainKeys Identified Mail signing is enabled. Every outbound message is cryptographically signed by AWS SES.
  • DMARC — a DMARC policy is published. Messages that fail SPF and DKIM alignment are subject to policy enforcement.

If you receive an email claiming to be from securityandtrust.io that looks suspicious, please report it to cam@securityandtrust.io.

4. SMS Communications

If you have opted in to SMS scheduling notifications, those messages are sent via AWS SNS/Pinpoint over carrier-grade infrastructure. Our SMS program follows TCPA requirements:

  • Opt-in is explicit and consent-based — we do not send unsolicited text messages.
  • Every participant can reply STOP at any time to immediately unsubscribe.
  • Reply HELP for program information and support contact details.
  • Message and data rates may apply depending on your carrier plan.

Full SMS terms are in our Terms & Conditions.

5. Access Controls & IAM

Access to AWS resources is governed by the principle of least privilege:

  • IAM users and roles are scoped to the minimum permissions required for each function.
  • Long-term access keys are reviewed and rotated on a regular cadence.
  • No root account credentials are used for operational tasks.
  • Lambda execution roles are independently scoped per function — there is no shared administrative role across compute resources.

6. Data Handling

We operate a minimal-data model:

  • The public website does not use third-party analytics, ad trackers, or behavioral profiling scripts.
  • Contact form submissions are processed via Lambda and delivered by SES. Form data is not retained in a persistent datastore beyond what is needed to deliver the message.
  • Scheduling session data (if applicable) is stored in Amazon DynamoDB with TTL-based expiration. Data is not sold or shared with third parties.

For full details on what data we collect and your rights, see our Privacy Policy.

7. Incident Response

In the event of a confirmed security incident affecting our systems or any data we hold:

  • We will investigate promptly and contain the incident.
  • Affected individuals will be notified consistent with applicable law (including CCPA and UCPA).
  • A post-incident review will be conducted and controls updated accordingly.

8. Security Disclosures

We welcome responsible disclosure. If you discover a security vulnerability on SecurityAndTrust.io or in our communications infrastructure, please report it directly — we will acknowledge receipt within one business day and keep you informed of our response.

Security contact:
Email: cam@securityandtrust.io
Subject line: Security Disclosure — [brief description]

We ask that you give us reasonable time to remediate before public disclosure, and that you avoid accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the vulnerability.