Security Posture
How we protect data, where we host, which vendors we rely on, and how to reach our security team. Honest about what we have certified and what we have not.
Document under legal review. This is a plain-English baseline published so procurement and security teams have something defensible to reference while counsel finalises the binding version. If you need a signed, counsel-approved version for a specific engagement, ask on the first call and we will expedite.
Where this site runs
The public GlobalAdmins website is hosted on Vercel. Vercel holds ISO 27001 and SOC 2 Type 2 certifications and operates a global edge network. Deployments are immutable: every commit produces a new isolated build that is promoted on verification, and old builds remain available for instant rollback.
What data the website touches
The website itself does not store customer data. There is no logged-in product surface, no customer portal, and no database on the website side. The two data paths are:
- Contact and scorecard forms post to a serverless function that sends an email via Resend. No database is written.
- Vercel Analytics and Speed Insights record aggregate traffic metrics for operational purposes.
Transport security
HTTPS is enforced across the entire site with HSTS (preload and subdomains). Modern TLS ciphers only. Response headers include X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Content Security Policy tuned to the specific script, style, and connection sources the site uses.
Form abuse protection
Form endpoints are rate-limited per trusted client IP, validate inputs with strict schemas, and include honeypot and timing checks to filter automated abuse. Rejected submissions return a generic error to avoid information leaks.
Vendors
The current list of vendors that process any data on our behalf is published on the Subprocessors page. If you need a specific vendor to be excluded for an engagement, we flag that at scoping.
DPA and standard clauses
A Data Processing Addendum (DPA) is available on request for engagements that involve personal data under GDPR, the UK GDPR, or the California privacy regime. We execute the Standard Contractual Clauses where required for international transfers.
Certifications, honestly
We do not currently hold SOC 2, ISO 27001, or HIPAA certification as GlobalAdmins. We operate on top of certified infrastructure (Vercel, Resend, Microsoft Azure) and follow the control practices those programs require, but the certification itself sits with our vendors, not with us. If your procurement process requires a direct certification, flag it on the first call so we can discuss fit honestly.
Responsible disclosure
If you believe you have found a security issue with the website or any engagement deliverable, please email security@globaladmins.com with a description, reproduction steps, and your contact. We acknowledge reports within one business day and work with you through resolution. We do not take legal action against good-faith researchers who follow this disclosure process.
Also on the legal surface