This page lays out how EARNS & BARNS LLC handles security and trust for our own infrastructure, the analytics accounts our clients give us access to, and the personal data that occasionally passes through the studio.
1. Summary
- Encryption: TLS 1.2+ in transit (HSTS preload), AES-256 at rest (provider-managed).
- Access: Google Workspace SSO with hardware-key MFA. No shared passwords. Quarterly access reviews.
- Vendors: The list in Section 6 is the entire stack. Every vendor has a signed DPA.
- Incidents: Notification inside 72 hours per GDPR Art. 33.
- Posture: SOC 2 Type II is on the roadmap; we are not currently certified.
2. Scope of this page
Trust & Security covers:
- The Earns & Barns website (earnsandbarns.com).
- Our internal studio infrastructure (email, drives, docs, code repos).
- Credentials our clients delegate to us (analytics, ad accounts, CMS, email platforms).
- Draft content and deliverables produced under client engagements.
It does not cover the security of the underlying SaaS platforms our clients use (Shopify, Google Ads, Klaviyo, etc.) — those vendors publish their own controls. We do, however, evaluate each before recommending it.
3. Organizational controls
- Background checks at hire for any role with production access.
- Mandatory annual security training for all studio members (phishing, secrets handling, incident reporting).
- Documented policies for access control, vendor onboarding, data classification, retention, incident response, and acceptable use — version-controlled in our internal knowledge base.
- Least privilege by default. A new team member starts with zero client access. Access is granted per engagement on the day the SOW is countersigned and revoked the day the engagement ends.
- Quarterly access review: we audit every client account and remove stale grants every 90 days.
- Confidentiality agreements signed by every team member and subcontractor before access is granted.
- Subcontractor due diligence: contractors are vetted, contracted, and access-controlled the same way team members are.
4. Technical controls
4.1 Encryption
- TLS 1.2 minimum on every public endpoint we control. TLS 1.3 preferred. HTTP Strict Transport Security (HSTS) enabled with a 1-year max-age on all production hostnames.
- Storage encrypted at rest using provider-managed AES-256 (Google Workspace, Vercel, Stripe, Postmark, Plausible).
- Secrets stored in 1Password (Business tier, with audit log) and rotated on offboarding, vendor change, or suspected exposure.
4.2 Network & perimeter
- Cloudflare in front of all public endpoints for DDoS mitigation and rate limiting.
- DNSSEC enabled on the apex domain.
- SPF, DKIM, and DMARC (
p=reject) enforced on all outbound studio email. - No public-facing SSH; production deploys via Vercel's GitOps flow.
4.3 Application security
- Static type checking and linting on every commit.
- Dependency scanning via GitHub Dependabot; critical vulnerabilities patched within 7 days.
- No third-party trackers, no eval'd scripts. The Site ships a strict Content-Security-Policy header.
- Penetration testing of the production Site at least annually, plus when major architectural changes ship.
4.4 Logging & monitoring
- Vercel access logs, Cloudflare event logs, and Google Workspace admin logs retained for 90 days (longer for security investigations).
- Real-time alerts on anomalous login activity, mass file downloads, and OAuth-grant changes.
- Server logs are pseudonymized after 30 days (IP truncated to /24).
5. Data we hold
We minimize the personal data we hold. The categories we touch:
| Category | Sensitivity | Where | How long |
|---|---|---|---|
| Site contact-form submissions | Low | Google Workspace inbox | ≤ 24 months |
| Client correspondence & deliverables | Medium | Google Drive | Term + 7 years |
| Client analytics & ad-account access | Medium | Delegated OAuth (no creds stored) | Term of engagement |
| Invoices & payment records | Medium | Stripe | 7 years |
| Source code & configs | Medium | GitHub (private) | Indefinite (audit trail) |
| Server logs | Low | Vercel / Cloudflare | 30 days raw, 90 days pseudonymized |
We do not store payment card numbers, government identifiers, or special-category data on our infrastructure.
6. Subprocessors
The complete list of vendors that may process personal data on our behalf. Each has a signed DPA and SCCs where applicable.
| Vendor | Purpose | Region | Compliance |
|---|---|---|---|
| Vercel | Site hosting & edge functions | USA / Global edge | SOC 2 Type II · SCCs · DPA |
| Cloudflare | DNS, CDN, DDoS mitigation | Global edge | SOC 2 Type II · ISO 27001 · SCCs · DPA |
| Google Workspace | Email, calendar, drive, docs | USA / EU | SOC 2 Type II · ISO 27001 / 27018 · SCCs · DPA |
| Postmark (ActiveCampaign) | Transactional email delivery | USA | SOC 2 Type II · SCCs · DPA |
| Plausible Analytics | Privacy-friendly site analytics | EU (Germany) | GDPR-native · DPA |
| Stripe | Invoicing & payments | USA / EU | PCI-DSS Level 1 · SOC 2 Type II · SCCs · DPA |
| 1Password | Password and secrets management | Canada / USA | SOC 2 Type II · DPA |
| GitHub | Source code & CI | USA | SOC 2 Type II · ISO 27001 · SCCs · DPA |
| Notion | Internal documentation | USA | SOC 2 Type II · ISO 27001 · SCCs · DPA |
| Linear | Project management | USA | SOC 2 Type II · DPA |
Active clients are notified of subprocessor additions or removals at least 14 days in advance and can object in writing. See the Privacy Policy for the controller / processor classification.
7. Access management for client systems
- We request delegated access (OAuth, IAM role, “Add user” with named role) — never your raw password.
- We use a unique studio email per platform; we never share logins.
- Multi-factor authentication is required everywhere it's offered.
- When an engagement ends, we ask you to revoke the studio's access within 14 days. If you forget, we confirm removal in writing and walk you through the revocation.
8. Incident response
We maintain a written Incident Response Plan with the following commitments:
- Detection: automated alerts on suspicious authentication, mass data access, and configuration drift.
- Triage: the on-call studio member opens an incident channel within 30 minutes of detection.
- Containment: isolate the affected system, rotate exposed credentials, and notify our security counsel.
- Notification: affected clients are notified inside 72 hours of confirmed compromise, in line with GDPR Art. 33 and applicable US state breach-notification laws. Notification includes:
- The nature of the incident, including categories of data and approximate number of records affected.
- Contact for further information.
- Likely consequences and the measures taken or proposed to address them.
- Post-mortem: written within 14 days, including root cause and corrective actions. Shared with affected clients.
9. Business continuity & disaster recovery
- Backups: production data backed up by our vendors (Google Workspace, Stripe, Vercel) on rolling 30-day windows.
- Recovery Time Objective (RTO): 24 hours for the Site, 72 hours for client deliverables.
- Recovery Point Objective (RPO): 24 hours.
- Tabletop exercise: we run a recovery drill at least annually.
- Vendor failure plan: for each critical vendor we have a documented replacement candidate and a one-page runbook for migration.
10. Vulnerability disclosure
We welcome reports from security researchers. Please send findings to security@earnsandbarns.com. If your report includes proof-of-concept details, encrypt with our PGP key (available on request).
- We acknowledge receipt within 2 business days.
- We aim to triage within 5 business days.
- Good-faith research is welcomed under the safe-harbor terms below.
10.1 Safe harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of service.
- Only interact with accounts they own or have explicit permission to access.
- Report findings privately to security@earnsandbarns.com before public disclosure.
- Give us a reasonable time to remediate before disclosure (we suggest 90 days).
11. DPA & data-subject request support
We'll sign a Data Processing Addendum (DPA) with any client whose engagement requires us to act as a processor. Our template DPA covers GDPR Art. 28 requirements, includes the EU SCCs as an annex, and lists our subprocessors as appendix items.
We help clients respond to data-subject access requests (DSARs) within their statutory deadlines — typically by producing exports from the analytics, email, and CRM systems we administer for them, in the format the client requires for response.
12. Regulatory posture
| Framework | Status | Notes |
|---|---|---|
| GDPR / UK GDPR | Compliant | Privacy Policy & DPA template aligned to Art. 5–32. |
| CCPA / CPRA | Compliant | Privacy Policy includes required notices & rights. |
| CAN-SPAM | Compliant | We do not send marketing email from this domain. |
| WCAG 2.1 Level AA | Substantially compliant | See the Accessibility Statement. |
| SOC 2 Type II | On roadmap (2027) | We follow the controls; we have not yet pursued external attestation. |
| ISO 27001 | Not certified | We model practices on ISO 27001 controls without seeking the certificate. |
| HIPAA | Not applicable | We do not knowingly process protected health information. |
| PCI-DSS | Out of scope (SAQ A) | Cardholder data is handled exclusively by Stripe. |
13. Contact
- Security disclosures: security@earnsandbarns.com
- General privacy: hello@earnsandbarns.com
- Postal: EARNS & BARNS LLC, 339 W Burkitt St, Sheridan, WY 82801, USA
- Phone: +1 (681) 284-1515