Governance
- Version
- 2.0
- Effective date
- Last reviewed
- Next review
- Owner
- Joel R. Klemmer
Section 1. Scope and Platform Posture
This is an informational authority site. It does not process payments. It does not host user accounts. It does not maintain persistent user databases beyond limited operational needs. The risk surface is intentionally constrained by design.
Security commitments apply to this site and its hosting pipeline. We do not claim to secure data processed entirely by third party services beyond our contractual expectations. Data transmitted to third party services is subject to their independent security controls.
Section 2. Secure Development and Deployment
Security considerations are integrated into development design, code review, and deployment workflows.
All changes flow through version control. Continuous integration enforces formatting checks, dependency audits, linting, and validation gates prior to build.
Where applicable, production and development environments are logically separated. Access to deployment systems is restricted through role based access controls consistent with operational needs.
Security relevant events may be logged and reviewed consistent with operational requirements.
Section 3. Infrastructure Controls
Hosting environment
The site is hosted on infrastructure that provides TLS termination and encrypted transport. Infrastructure resilience and backup procedures are managed by the hosting provider.
Transport security
All traffic is encrypted using HTTPS. Mixed content is not used. HSTS is enabled in production with preload. TLS termination occurs at the edge.
HTTP security headers
The site sends security headers including Content Security Policy, X Content Type Options nosniff, X Frame Options DENY, Referrer Policy strict origin when cross origin, and Permissions Policy restricting camera, microphone, geolocation, and related features. Object and frame embedding are disabled.
Section 4. Application Controls
Input handling
Contact form input is validated. Only necessary data is collected. Rate limiting is enforced according to deployment configuration.
Dependency management
Package dependencies are managed through the project dependency system. Continuous integration scans for critical vulnerabilities. Identified issues are evaluated and addressed in accordance with severity and feasibility.
Content integrity
The site is primarily static. Dynamic execution is limited to essential functionality. Script and style sources are constrained through Content Security Policy.
Section 5. Data Protection
Data collection is minimal. Contact inquiries are processed solely for communication. No resale, no profiling, no persistent user account storage.
For additional information regarding data practices, see the Privacy page.
Section 7. Vulnerability Management
Dependencies are monitored using standard package management tools. Infrastructure updates are handled by the hosting provider.
We cannot guarantee zero day coverage. Security issues are evaluated and addressed when identified.
In the event of a security incident involving personal data under our control, we will act consistent with applicable legal obligations.
Section 8. Responsible Disclosure
Security concerns may be reported through the Contact page. Reports should include a clear description of the issue, steps to reproduce, and the affected URL or component.
Do not include active exploit code in the initial report.
We aim to acknowledge reports within a reasonable timeframe. No response time guarantee is provided.
Section 9. Safe Harbor
We will not pursue legal action against researchers who report vulnerabilities in good faith, remain within the scope described in this policy, avoid accessing or modifying data beyond what is necessary to demonstrate the issue, and avoid privacy harm or service disruption.
This safe harbor applies only to activities conducted within the scope described in this policy and does not authorize actions that violate applicable law or third party service terms.
Denial of service testing, social engineering of personnel, or testing of third party services is not permitted.
Section 10. Limitations
No system is immune to risk. This Security page does not constitute a warranty or contractual guarantee of security.
Statements in this document reflect current practices and may change without notice.
Users are responsible for maintaining reasonable security practices on their own devices and networks.
Section 11. Governance and Review
Security posture is reviewed periodically. Material changes will be reflected in the governance section.
Last updated: 2026-02-22