Skip to main content
V MATRIX

Legal

Security

Last updated:

Security is a foundation, not a feature. At V MATRIX, our approach is to start with the smallest possible attack surface, work inside our clients' own environments wherever possible, and be honest about what we have and do not yet have in place.

1. Our Operating Model

V MATRIX is a Florida LLC operated by a single accountable founder. We do not run our own customer-facing infrastructure for client workloads. We deliver into our clients' environments — their cloud accounts, their repositories, their identity systems — under the security controls they require.

For our own business operations (this Site, business email, scheduling), we use established providers (Vercel, Microsoft 365, Cal.com, PostHog) with documented security programs.

2. Code Security

When we engineer software for clients:

  • We work in the client's source-control system, not ours
  • We commit under named identities with signed commits where supported
  • We never copy client code or credentials to personal devices for the purpose of long-term storage
  • We follow secure coding practices appropriate to the language and framework
  • We integrate with the client's existing code-review, CI/CD, and security-scanning tooling

3. Infrastructure

When we operate systems for clients:

  • We deploy into the client's cloud account (AWS, Azure, GCP, or other), not ours
  • We use the client's identity provider (Okta, Azure AD, Google Workspace, Auth0, or similar)
  • We use the client's secret management (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault)
  • We follow principle of least privilege for any access we are granted
  • We document the infrastructure we touch, so handover is clean

4. Data Handling

We follow a minimum-data principle:

  • We collect only the data we need to do the work
  • We process data in the smallest scope possible
  • We do not exfiltrate client data to V MATRIX systems unless explicitly contracted to do so
  • We do not use client data to train general-purpose AI or ML models
  • TLS 1.3 in transit; encryption at rest is provided by the underlying cloud provider's defaults

5. Access Controls

V MATRIX operates with:

  • Multi-factor authentication enforced on all primary accounts (GitHub, Vercel, Microsoft 365, Cal.com, PostHog, GoDaddy)
  • Hardware-backed authentication where available
  • Founder-only access to V MATRIX systems by default; access to client systems is granted per engagement and revoked on completion
  • Endpoint protection on devices used for engagement work

6. Confidentiality and NDAs

We are NDA-ready before any engagement. We will sign your NDA or provide our mutual NDA template. Confidentiality survives the engagement.

7. Subprocessors

The third-party services we use to operate our business:

  • Vercel Inc. — hosting (vmatrix.io)
  • PostHog Inc. — product analytics
  • Cal.com Inc. — meeting scheduling
  • Microsoft Corporation — business email and document collaboration via Microsoft 365
  • GoDaddy Operating Company, LLC — domain registration

Each is contracted under terms that require security, confidentiality, and limit data use to providing the service. When clients engage us, we disclose subprocessors per engagement and update them on material changes.

8. Incident Response

If we discover or are notified of a security incident affecting personal information or client data we hold or have access to:

  • We will investigate promptly
  • We will notify affected clients without undue delay, and in any event consistent with the Florida Information Protection Act and applicable contractual obligations (typically within 72 hours of confirmed awareness)
  • We will cooperate with clients on remediation, notifications to data subjects, and regulator filings

Report a suspected vulnerability or incident: info@vmatrix.io with subject line beginning [SECURITY].

9. Compliance Posture — Honest Statement

We design and operate to be aligned with:

  • GDPR (EU General Data Protection Regulation) for any EU personal data we touch
  • CCPA/CPRA for California consumer data
  • Florida Information Protection Act (FIPA) for breach notification
  • EU-U.S. Data Privacy Framework principles for transatlantic data transfers

We do not currently hold the following certifications:

  • SOC 2 Type I or Type II
  • ISO 27001
  • HIPAA Business Associate Agreement coverage
  • FedRAMP
  • PCI DSS

These certifications are on our roadmap when our scale and client mix justify the investment. Until they are achieved, we will not claim them. If your procurement process requires one of these, let us know — we can discuss the underlying controls, work within your environment to inherit your certifications, or propose a path forward.

10. Business Continuity

V MATRIX is a small, focused organization. Our continuity plan rests on:

  • Documented engagement state in client systems (not ours)
  • Source code, infrastructure-as-code, and runbooks living in the client's repositories
  • Clear handover documentation so any qualified engineer can pick up the work
  • Insurance coverage appropriate for a U.S. consulting LLC

11. Contact

For security questions, vulnerability reports, or compliance documentation requests:

V MATRIX TECHNOLOGIES LLC
2125 Biscayne Blvd, Ste 204 #24879
Miami, FL 33137
United States
info@vmatrix.io (use subject line [SECURITY])