How We Back Up Every Claim
Our SLAs, security stack, compliance frameworks, incident response process, and backup standards — documented so you can evaluate us against your practice's real requirements.
What Our Numbers Actually Mean
Every metric on our site has a definition. Here's exactly how each is measured and what it covers.
Measured from ticket creation to first engineer acknowledgment during business hours (8am–6pm MST). After-hours P1 incidents (system down, ransomware, data breach) target 30-minute response via on-call rotation.
Applies to network infrastructure and managed servers under our full-management tier. Calculated monthly, excluding pre-approved maintenance windows. Credit issued for qualifying downtime per signed service agreement.
Datto SIRIS recovery time objective for managed servers. Measured from disaster declaration to verified system restoration. Essential tier targets 24-hour RTO.
SentinelOne Vigilance MDR SOC operates around the clock. Threat containment is automated; human analyst escalation happens within minutes of a confirmed incident.
Our Compliance Approach
We distinguish between supporting your compliance program and claiming compliance on your behalf. Here's what we deliver for each framework.
HIPAA Security Rule
Healthcare clientsWe implement and document Administrative, Physical, and Technical Safeguards as defined in 45 CFR Part 164. Our annual risk assessment maps controls to each required implementation specification.
We sign a Business Associate Agreement (BAA) with every healthcare client before handling any ePHI-adjacent systems.
ABA Formal Opinion 477R
Law firm clientsWe align security controls to the ABA's cybersecurity guidance for attorneys: access controls, encrypted communications, secure remote access, and incident response procedures. We provide documentation suitable for firm ethics compliance records.
We provide written security control documentation for use in firm policy records and bar compliance reviews.
SOC 2 Type II Readiness
Enterprise clientsWe deploy Vanta to continuously collect evidence across Security, Availability, and Confidentiality trust service criteria. This provides audit-ready documentation rather than once-a-year snapshots.
SOC 2 audit readiness is included in Professional and Enterprise tiers. Formal CPA audit engagement is coordinated separately.
Every Tool We Deploy
No mystery black boxes. Every client gets the same enterprise-grade stack — not scaled-back versions for small practices.
AI-driven EDR/XDR endpoint protection
24/7 managed detection and response SOC
Cloud-native SIEM — 1-year log retention
Privileged Identity Management, risk-based MFA
Threat protection integrated with M365
DNS-layer filtering, web threat blocking
Cloud backup, business continuity, bare-metal restore
Continuous HIPAA / SOC 2 compliance automation
Security awareness training and phishing simulation
Data governance, sensitivity labels, DLP
MDM/MAM for device policy enforcement
GRC automation for Enterprise compliance programs
What Happens When Something Goes Wrong
Our incident response workflow for P1 events — system compromise, ransomware, confirmed breach, or critical outage.
Detect
SentinelOne or Sentinel triggers automated alert. MDR SOC analyst reviews within minutes.
Contain
Affected endpoint or account is isolated automatically. Engineer notified immediately.
Notify
Client contact is called within 30 minutes of a confirmed P1 incident. Written incident record opened.
Investigate
Root cause analysis performed. Affected systems, accounts, and data scope are documented.
Recover
Clean restore from Datto backup or reimaging. Systems validated before return to service.
Report
Written post-incident report delivered. HIPAA breach analysis included for healthcare clients.
Recovery Standards by Tier
All tiers use Datto SIRIS with immutable snapshots. Ransomware cannot encrypt your backups. Here's what each tier covers.
| Standard | Essential | Professional | Enterprise |
|---|---|---|---|
| Backup Frequency | Daily | Every 4 hours | Continuous (CDP) |
| Recovery Time Objective | 24 hours | 4 hours | 1 hour |
| Recovery Point Objective | 24 hours | 4 hours | 15 minutes |
| Offsite Replication | Datto Cloud | Datto Cloud + local | Datto Cloud + local + geo-redundant |
| Backup Testing | Quarterly screenshot | Monthly live test | Monthly live test + annual DR drill |
| Ransomware Protection | Immutable snapshots | Immutable + isolated copy | Immutable + isolated + air-gapped |
How We Handle Your Data
No Data Resale
We do not sell, share, or license client data to any third party. Client data is used exclusively to deliver contracted services.
Encryption in Transit and at Rest
All managed data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Remote access sessions use encrypted tunnels only.
Vendor Subprocessors
We use Microsoft, SentinelOne, Datto, Vanta, Cisco, and KnowBe4 as subprocessors. Each has signed data processing agreements aligned with HIPAA and SOC 2 requirements.
Data Residency
Backup and SIEM data is stored in US-based data centers. We do not route ePHI or attorney-client data through non-US infrastructure.
Access Controls
Least-privilege access is enforced via Entra ID PIM. Engineer access to client systems is logged, time-limited, and requires MFA. Access is reviewed quarterly.
Offboarding
Upon contract termination, client data in our systems is securely wiped within 30 days. Backup media is destroyed per NIST 800-88 standards. Written confirmation provided.
Have Specific Compliance Requirements?
Our free security assessment benchmarks your current environment against HIPAA Security Rule controls or ABA Formal Opinion 477R. Written gap report delivered in 48 hours.