The fine print
Trust Signals
Risk Wise Security is an independent cybersecurity advisory firm focused on clarity, judgment, and practical execution. While we do not operate managed services or host client systems, we take the protection of client information seriously. As an advisory firm, we do not operate systems or services that would typically require SOC 2 attestation. However, our internal practices align with the intent of SOC 2 Trust Services Criteria.
We operate as a vendor neutral advisory firm. We do not accept referral fees, resale commissions, or incentives from technology vendors.
Our approach includes:
Minimal data collection and retention
Restricted access to client information
Strong authentication and device security
Clear confidentiality and incident notification practices
Vendor-neutral advisory services
We are happy to answer security questionnaires, participate in due diligence discussions, and provide additional detail upon request.
Straight Forward Details
Scope of Services
The services provided by Risk Wise Security (“RiskWise,” “we,” “our” or “us”)are strictly advisory in nature. We provide guidance, recommendations, and educational materials regarding information security, policy development, and security posture improvement. We do not provide operational security services, monitoring, vulnerability scanning, penetration testing, or incident response, unless specifically indicated in a signed contract between us and the client. Clients retain full responsibility for implementing any recommendations.
No Guarantee
While we aim to provide actionable guidance based on industry best practices and frameworks, we cannot guarantee that your systems, data, or organization will be secure from cyber threats. No advice or recommendations should be construed as creating any warranty, representation, or assurance regarding security outcomes, compliance, or regulatory approval.
Decision-Making and Liability
All decisions regarding security policies, technology implementation, or risk acceptance remain the sole responsibility of the client. Risk Wise Security is not liable for any loss, damage, or incident resulting from the adoption or non-adoption of our recommendations.
Compliance and Legal Advice
Our services are not legal advice. Clients should consult qualified legal counsel or compliance professionals regarding regulatory requirements, contractual obligations, or industry-specific standards.
Use of Materials
Any templates, policy drafts, or guidance materials provided are for the client’s internal use only. Redistribution or resale of materials without written consent is prohibited.
Acceptance of Risk
By engaging our services, the client acknowledges that all risk related to the implementation of security recommendations remains with the client and accepts full responsibility for any outcomes resulting from these actions.
Your data, Your privacy
This notice explains how Risk Wise Security (“RW”) may collect and use personal data when you interact with us, including if you: use our website or services; view an online advertisement promoting our business; work for organizations that provide goods or services to us; visit our premises; or attend events we host.
Depending on how you interact with us, the personal data we collect may include contact information (such as name, email address, and phone number), professional or business details, website usage data, and limited technical information such as IP address or browser type. We use this information to respond to inquiries, provide and improve our services, operate our website, communicate with you, and meet legal or contractual obligations.
This notice does not apply to data collected and processed outside of your interaction with our website or general business activities. RW enters into separate agreements with clients and prospective clients for the provision of services, which govern data collection, processing, and security practices in that context. Likewise, data related to applicants, employees, and contractors is governed by separate agreements and policies.
Any client data in our possession is handled with care, protected using appropriate safeguards, and treated with strict confidentiality at all times. We do not sell personal data. We may share limited personal data with trusted service providers (such as hosting, analytics, or communications providers) solely as necessary to operate our business and services.
In many cases where we process personal data on behalf of a client, those activities are governed by contracts between RW and that client and fall outside the scope of this notice. If you are an individual whose data is processed by us on behalf of a client, please contact that organization for information about its data practices and your rights.
You may have rights regarding your personal data, including the right to request access, correction, or deletion, subject to applicable law. Questions about this notice or our data practices may be directed to us through the contact information provided on our website.
Any changes to this notice will be posted on this page to reflect updates to our practices or legal requirements. Where appropriate, we may notify you of material changes by email, but we encourage you to review this page periodically.
Our Practices
Scope & Responsibility Statement
Services are advisory only. Client retains responsibility for implementation and operational security unless otherwise specified. No monitoring, detection, or incident response services are provided. No guarantee of breach prevention or compliance outcomes.
All services are strictly advisory. Clients remain solely responsible for implementation and ongoing operational security unless explicitly stated otherwise. We do not provide monitoring, detection, or incident response services, and make no representations or warranties regarding breach prevention or regulatory compliance outcomes.
Use of AI & LLMs
We use AI tools to support research, drafting content, improving grammar, data analysis, and other project related activities. All output is reviewed by a human, potentially edited and adapted by our team; we do not solely rely on or publish AI output verbatim. Client data is never shared with AI systems without consent, and AI-generated content is provided as a tool, never a guarantee of accuracy.
Common Questions
Do you have SOC 2 Type II report?
No. RiskWise Security is an advisory firm and does not host or process customer data at scale. We maintain internal security practices aligned with SOC 2 principles and are happy to describe them in detail.
How do you protect client data?
We apply least privilege access, strong authentication, device security controls, and data minimization practices. Client data is only accessible to individuals engaged on the project.
Do you conduct risk assessments?
Yes. We regularly evaluate operational and information security risks relevant to our business model and advisory services.
How do you manage vendors?
We use a small number of reputable service providers and evaluate them for security posture and appropriateness. Vendor access is limited and monitored.
Do you have incident response procedures?
Yes. We maintain documented internal procedures for identifying, assessing, and responding to security incidents, including client notification protocols.
Data Handling
What types of client data do you accept?
We accept data that is generally considered non-sensitive. This includes information that does not identify an individual or expose private, regulated, or confidential details. We do not accept sensitive data such as personally identifiable information (PII), protected health information (HIPAA), Social Security numbers (SSNs), financial account details, or any other data subject to heightened privacy or security requirements.
What data do you explicitly avoid collecting?
We only collect non-sensitive data and explicitly avoid collecting personal data, including but not limited to personal data as defined under GDPR, such as PII, credentials, financial or medical information, biometric or precise location data, and any other data subject to privacy or security regulations.
How long do you retain client materials?
We retain client materials only for as long as necessary during the engagement, then delete or anonymize the data within a defined, short timeframe.
Systems & Access
Where is client data stored?
Client data is stored in secure, access-controlled infrastructure with data encrypted at rest and in transit.
Who has access and how is access controlled?
Access to client data is controlled through role based access and governed by least privilege with logging and regular access reviews.
What authentication methods are used?
Authentication is enforced using strong, industry standard methods, including unique user accounts, strong passwords, and multi-factor (MFA) authentication where supported.
Device & Endpoint Security
How are laptops/workstations secured?
Company laptops/workstations are secured with full-disk encryption, device level authentication, automatic locking, and up-to-date security patches.
How are updates and patches handled?
Updates and patches are automatically installed. Optional security updates and patches are also installed.
Incident Handling
How would you identify a potential incident?
Potential incidents are identified through system monitoring, logging, alerts from security tools or other providers, and reports from employees or third parties.
Who is responsible for response?
Incident response is handled together but largely handled by the client.
How and when would clients be notified?
Clients are notified as soon as we have confirmation of an incident that affects their data.
Vendors & Tools
What third-party services do you rely on?
We rely on Squarespace and it’s infrastructure.
Why were they selected?
They have we long standing reputation as a content management system provider.
Governance
How often do you review your own practices?
Security and privacy practices are reviewed on a regular basis and at least annually, as well as following material changes to systems, processes, or regulatory requirements.
How do you ensure independence and avoid conflicts of interest?
Conflicts of interest are managed through internal policies, role separation, disclosure requirements, and adherence to professional and ethical standards.