CompubilityBack to home

Security & Data Handling

Security & Data Handling

Compubility takes a security-first approach to the design, development, and ongoing support of public-facing digital services. This page summarizes our baseline practices and how we typically handle data for web rebuild engagements.

Typical hosting options

We support multiple hosting models based on agency preferences:

  • Agency-managed hosting: We deploy to infrastructure owned and managed by the agency (e.g., agency cloud accounts). This model is common when strict control or specific compliance requirements are needed.
  • Vendor-managed hosting (by request): For many website rebuilds, we can host the front end using reputable managed platforms (e.g., Vercel) and manage content through a headless CMS (e.g., Contentful). Final hosting architecture is documented and approved during implementation.

Data minimization and scope

For most public-sector marketing/informational websites:

  • We design solutions to minimize collection and storage of personal data
  • We avoid storing sensitive data unless the project explicitly requires it and the agency approves the approach
  • If forms are used, we implement only the fields needed and clearly define where submissions are routed (email, CRM, ticket system, database, etc.)

Access controls

We follow least-privilege principles:

  • Separate roles for content authors, editors, and administrators
  • Admin access restricted to the smallest necessary set of users
  • MFA enabled wherever supported (CMS, hosting, source control, email)
  • Access reviewed during handoff and after major personnel changes (on request)

Secrets and configuration management

We protect credentials and configuration across environments:

  • API keys and secrets are stored in secure environment variable systems (not committed to source control)
  • Production secrets are not shared in plain text
  • Rotation is supported and recommended on a defined cadence or when staff access changes

Backups and recoverability

Backup approach varies by architecture, but typically includes:

  • Source code version control (Git)
  • CMS content export and/or space/environment backup strategy
  • Deployment rollback support (where available)
  • Documentation of restoration steps and ownership (agency vs Compubility)

For projects requiring stronger disaster recovery guarantees, we define explicit RPO/RTO expectations in the SOW.

Logging, monitoring, and vulnerability management

For supported environments, we implement:

  • uptime/availability monitoring (as part of maintenance plans)
  • error reporting and performance monitoring (as appropriate)
  • dependency patch cadence (routine + expedited for critical advisories)
  • secure headers and baseline hardening measures (e.g., HTTPS, CSP where appropriate)

Incident handling

If we become aware of a suspected security incident impacting a system we manage, we will:

  • promptly notify the agency point of contact
  • preserve relevant logs/telemetry to the extent available
  • assist with investigation, mitigation, and recovery based on the agreed support scope

Specific incident response SLAs and responsibilities can be defined in the maintenance agreement.

Third-party services

Modern web delivery often involves third-party platforms (hosting, CMS, analytics, forms, maps, etc.). When used:

  • we document what services are in scope
  • we limit permissions and access where possible
  • we configure services using security best practices
  • we provide a list of third-party services for agency review

Privacy and public records considerations

We can support privacy notices, consent configurations (where required), and content/data retention requirements as defined by the agency. Final requirements and responsibilities are captured in the SOW.

Contact

For security-related questions or requests:

Email: security@compubility.com

Last updated

Last updated: January 11, 2026