Security

How CFW thinks about website security, intake boundaries, and responsible reporting.

Security posture

CFW is a small advisory and systems practice. The current public website is a low-risk marketing and intake surface hosted on Vercel, with domain and DNS managed through Cloudflare.

The security posture is based on data minimization, limited collection, reputable infrastructure providers, HTTPS, conservative access controls, and avoiding sensitive information in first-contact workflows.

Current safeguards

  • HTTPS is active for cromwellfutureworks.com.
  • Cloudflare manages domain registration and DNS.
  • Vercel builds and hosts the Next.js website from the GitHub repository.
  • Google Workspace handles company email with MX, DKIM, SPF, and starter DMARC records configured.
  • The website warns visitors not to include sensitive or regulated information in first-contact messages.

Planned intake safeguards

  • Replace temporary email-based request handling with a server-side submission endpoint.
  • Validate all request-audit submissions server-side.
  • Add Cloudflare Turnstile with server-side verification.
  • Add a honeypot field and rate-limiting where practical.
  • Store leads in Supabase with row-level security and server-only service-role access.
  • Avoid file uploads and sensitive client data in the initial request flow.

Data handling boundaries

CFW's initial request flow should collect only enough information to understand the business context, workflow problem, tools involved, and contact path. It should not collect regulated records, credentials, customer lists, financial account details, health data, HR records, or legal matter details.

Responsible reporting

If you believe you found a security issue involving CFW's public website or systems, contact security@cromwellfutureworks.com with a concise description, affected URL or system, steps to reproduce, and any relevant screenshots or logs.

Please do not access, modify, delete, disrupt, exfiltrate, or publicly disclose data. CFW does not currently operate a paid bug bounty program.

Vendor security

CFW relies on established providers for core infrastructure, including Vercel, Cloudflare, Google Workspace, and planned providers such as Supabase and Resend. Vendor choices may change as the business and audit product mature.

No guarantee

No security program can eliminate all risk. CFW will continue improving safeguards as the website moves from marketing presence to operational lead capture and workflow audit delivery.

Related pages: Privacy | Terms | Security