Signal Harbor Security

Overview

Signal Harbor Security ("we," "our," or "us") provides non-invasive external exposure reviews, security readiness assessments, and public attack surface scoping for small and mid-sized businesses, educational institutions, and local government entities.

Our operational model centers on data minimization. Unless separately agreed in writing, our reviews are limited to your public-facing internet footprint and external perimeter. We do not intentionally request, ingest, or retain internal network credentials, proprietary code bases, student education records, or sensitive citizen data.

1. Data Collection Categories and Incidental Exposure

We segregate data into two distinct operational categories.

Administrative Account Data

Information provided voluntarily through scoping forms, intake questionnaires, or standard business communications may include:

  • Identity Details: Representative name, organizational role, and corporate or public-sector affiliation.
  • Contact Details: Professional email address, billing details, and telephone numbers.
  • Authorized Scope: Public domains, subdomains, network ranges, and digital assets explicitly designated for review.

Assessment and Review Artifacts

Technical information collected during an active exposure review to identify security gaps may include:

  • External Technical Metadata: Public DNS configurations, historical WHOIS records, certificate transparency logs, active perimeter service banners, and visible web security headers.
  • Visual Evidence: Screenshots of public-facing asset directories, misconfigured vendor portals, or exposed login interfaces.
  • Remediation Deliverables: Prioritized repair plans, summaries of findings, and evidence packages built for your technical staff.

Note on Incidental Exposure: While we do not target personal data, external queries may incidentally capture references to publicly exposed or leaked information, such as historical credential dumps, metadata in public files, or exposed directory listings. If sensitive data is incidentally encountered, we minimize collection to only what is necessary to document the risk, redact sensitive fields where practicable, and treat the artifact as strictly confidential.

2. Data Minimization Restrictions

Signal Harbor Security does not knowingly solicit or maintain:

  • Protected Health Information (PHI) subject to HIPAA regulations, unless expressly covered by a separate written agreement.
  • Student education records or personally identifiable information from education records.
  • Financial account numbers or payment card industry data (PCI-DSS) outside of basic service billing details.

If an organization transmits unauthorized sensitive data during scoping or project intake, we will delete, redact, or quarantine that information from active working repositories as soon as reasonably practicable, subject to technical, security, and standard email backup retention limitations.

3. Permitted Uses and Third-Party Disclosures

We use your data solely to execute the authorized scope of work and maintain business communications.

We do not sell, lease, or distribute scoping details or assessment findings to marketing aggregators, automated brokers, or commercial third parties. We do not disclose assessment findings to cyber insurance underwriters or external vendors unless explicitly authorized in writing by the client or required by a valid legal order. Where legally permitted, we will make reasonable efforts to notify the affected client before disclosing assessment findings in response to legal process.

4. Security Framework for Findings

Because our assessments document active perimeter vulnerabilities, all assessment data is protected using standard administrative and technical controls:

  • Access Control: Access to client assessment material is restricted to personnel bound by formal confidentiality and non-disclosure obligations.
  • Storage and Transmission: Client documentation and findings are stored in access-controlled environments using encryption at rest where supported, and transmitted across encrypted communication channels such as HTTPS/TLS-secured platforms.

5. Retention and Deletion Practices

We do not act as a permanent archive for your vulnerability data.

Assessment results reflect conditions observed during the review window and do not guarantee that every vulnerability, exposure, or risk has been identified.

  • Active Engagements: Assessment data is retained during the active review cycle and through the post-delivery review window following final deliverable submission, to support client follow-up and IT remediation sessions.
  • Post-Delivery Removal: We remove working technical artifacts after the post-delivery review window closes. Removal is subject to contract terms, audit obligations, legal holds, and backup retention requirements in effect at the time of removal.
  • Administrative Archive: Master contracts, invoicing records, and copies of the final delivered roadmap are retained in isolated archive storage to satisfy financial audit obligations and liability protections.

6. Public Sector and Institutional Alignments

Local Government and Public Records Mandates

For municipal and public-sector clients subject to state-level open records laws, such as Florida Chapter 119, we mark security-sensitive deliverables as potentially confidential or exempt cybersecurity information where appropriate under governing law. We coordinate with the client's designated representative, legal counsel, or public records custodian as directed by the client regarding applicable cybersecurity exemptions. Final disclosure determinations and compliance with public records acts remain the sole statutory responsibility of the public agency.

Educational Entities, K-12 and Higher Education

Our services are not directed to children, and we do not knowingly collect personal information from minors. For school districts and educational clients, our assessments are structured to avoid access to student education records, supporting the client's internal compliance with the Family Educational Rights and Privacy Act (FERPA).

7. Your Operational Rights

Depending on your jurisdiction, you may request access to, correction of, or erasure of your administrative contact data. To execute these updates, contact your account representative or submit an authorized request to our security desk at .

8. Document Amendments

We reserve the right to amend this policy to reflect changes in technical verification methods or evolving statutory frameworks. Any modifications will be posted to this standalone path with an updated effective date.