Security Research Group Request a Demo

Trust & Security

This page describes our security commitments and practices. It is informational and does not modify the terms of any client agreement. Specific obligations are governed by the written agreement between SRG and the client.

Our Commitment

Security is not a feature of our business - it is our business. Security Research Group LLC holds itself to the same standards we help our clients achieve. This page summarizes how we protect the information entrusted to us and how we operate when handling client environments and data.

How We Protect Client Data

We apply defense-in-depth principles to the information our clients share with us:

  • Least privilege. Access to client data is limited to the personnel who need it for a specific engagement, and is revoked when no longer required.
  • Encryption. We protect sensitive data in transit and at rest using industry-standard encryption.
  • Segregation. Client engagement data is handled in a manner that keeps each client's information separated and protected.
  • Secure handling and disposal. We retain engagement data only as long as necessary and securely dispose of it in accordance with our agreements and applicable law.

How We Conduct Engagements

Every engagement operates under a written agreement that defines scope, authorization, and rules of engagement before any work begins. For offensive security work such as penetration testing, we obtain explicit written authorization and operate strictly within the agreed scope, using methods designed to demonstrate risk without causing harm to production systems or data.

Incident Reporting

If we identify a security incident affecting data or systems we handle on a client's behalf, we are committed to prompt notification and coordinated response in accordance with the applicable client agreement and our legal obligations. The specific notification timelines and procedures for an engagement are defined in that engagement's agreement.

Our Own Security Posture

We maintain administrative, technical, and physical controls to protect our own systems, including access controls, monitoring, secure development and configuration practices, and ongoing risk management. We welcome good-faith reports of vulnerabilities in our public systems under our Vulnerability Disclosure Policy.

People and Expertise

Our team brings experience from the highest levels of government and military cybersecurity operations, backed by leading industry certifications. The discipline and standards required in those environments inform how we protect every client.

Questions

For questions about our security practices, or to request additional detail as part of a vendor assessment, contact us at info@securityresearch.us.