SECURITY AND PRIVACY AT PROJECT BASELINE

How a solo consulting firm protects the information our clients trust us with.

Project Baseline Inc. is a Colorado corporation operated by Todd Walton, providing strategic consulting and AI implementation services to nonprofits, small and mid-market businesses, civic organizations, and individuals. This page documents our security and privacy posture, the policies we operate by, the vendors we share data with, and the commitments we make when something goes wrong. It is updated when our service stack changes or when the underlying policies are revised.

Last updated: May 22, 2026 | Version 1.0

AT A GLANCE

The short version. Each card links to the detailed section below.

Who we are

Project Baseline Inc.

Colorado profit corporation (EIN 27-0639457), founded 2009. Solo consulting practice headquartered in Broadview, Illinois. Single operator: Todd Walton. No employees with system access.

What we do

Strategic consulting and AI implementation

Nonprofit consulting, strategy consulting, AI implementation, AI training, subcontractor engagements, and free and paid AI-assisted tools.

What we protect

Client and prospect data

Engagement deliverables, intake responses, uploaded documents, payment metadata (no card data; Stripe handles cards), AI tool submissions, communications.

How to reach us

[email protected]

Security, vulnerability reports, privacy requests, incident notifications, and general inquiries all route to this address. Acknowledged within 7 days.

COMPLIANCE AND POSTURE

Honest framing: we are a solo consulting firm. We are not currently SOC 2 Type II attested, ISO 27001 certified, HIPAA-attested, or PCI-DSS attested. We do not represent ourselves as such. What we are is a single-operator practice that has implemented and documented controls aligned with the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), scaled appropriately for our size and scope.

NIST CSF 2.0 alignment

We operate against the six NIST CSF 2.0 functions:

  • Govern (GV): Information Security Policy, Vendor and Sub-Processor Management Policy, Risk Register, annual review cadence
  • Identify (ID): PB Security Inventory documenting every system, sub-processor, data flow, and identified gap (last updated 2026-05-22)
  • Protect (PR): Access Control Policy (MFA on all SaaS accounts, SSH key-only on infrastructure), Cryptography Policy (TLS 1.2+, bcrypt cost factor 12, AES-256 at rest where applicable), Acceptable Use Policy, Data Retention Policy, Backup Policy
  • Detect (DE): Structured logging on infrastructure, sub-processor security alerts (GitHub, Cloudflare, Stripe, Google Workspace, DigitalOcean), application-level abuse-control telemetry
  • Respond (RS): Incident Response Plan with 72-hour breach notification SLA
  • Recover (RC): Backup Policy (encrypted, off-site, 90-day rolling retention plus annual archives), documented restoration testing cadence

Certifications and attestations

  • SOC 2 Type II: Not currently attested. Not on roadmap for 2026 (size and scope do not justify cost).
  • ISO 27001: Not currently certified.
  • HIPAA: Not applicable. We do not process Protected Health Information.
  • PCI-DSS: Not directly applicable. Payment card data is processed by Stripe (PCI-DSS Level 1 attested); PB never receives or stores cardholder data.
  • GDPR, UK GDPR, CCPA, and other US state privacy laws: We honor data subject rights under these laws. See Privacy Policy.

If our service stack grows to a scale where a formal attestation makes sense for the business, we will pursue it and update this page.

SUB-PROCESSORS

The vendors below process PB-controlled data on our behalf. Each is selected with documented risk assessment, contractual protections through their Data Processing Addenda or equivalent commitments, and ongoing monitoring. We notify clients with active engagements at least 30 days before adding a new sub-processor that will process their data.

#Sub-processorServiceData typeLocationPrivacy policy
1Google LLC (Google Workspace)Email, document storage, schedulingCommunications, documents, deliverablesUnited StatesView
2Cloudflare, Inc.DNS, TLS, WAF, DDoS mitigation, CDNWeb trafficUS (edge worldwide)View
3GitHub, Inc. (Microsoft)Site hosting, source codePublic marketing content; source codeUnited StatesView
4Stripe, Inc.Payment processingPayment metadata; PB never sees card numbersUnited StatesView
5FormSubmit.coForm relay for one inquiry formName, email, business name, messageUnited StatesView
6Anthropic, PBCAI generationBusiness context for AI toolsUnited StatesView
7OpenAI, L.L.C.Occasional AI useLimited business contextUnited StatesView
8Google LLC (Gemini API)Occasional AI useLimited business contextUnited StatesView
9Perplexity AI, Inc.Research lookupsSearch queries (no client PII)United StatesView
10Resend, Inc.Email deliveryRecipient email, subject, body, attachmentsUnited StatesView
11Fireflies.ai (Fred AI, Inc.)Meeting transcriptionMeeting audio and transcriptsUnited StatesView
12DigitalOcean, LLCVPS infrastructure hostingAll self-hosted application dataUnited StatesView
13Supabase, Inc.Database servicesLimited operational dataUnited StatesView
14Mailchimp (Rocket Science Group LLC)Email marketing (not currently active)Contact info for opt-in recipients onlyUnited StatesView

Sub-processor change subscription: Clients with active engagements receive direct notice at least 30 days before any change to the active sub-processor list affecting their data. To subscribe to notifications, email [email protected] with the subject line "Sub-processor notifications."

HOW WE HANDLE DATA

Encryption, retention, and deletion. The short version below; the full schedule lives in our Data Retention Policy (downloadable in the Policies section).

In transit

TLS 1.2 or higher

HTTPS enforced on all customer-facing endpoints (HTTP requests 301 redirect to HTTPS). Cloudflare-managed TLS termination on most domains, with origin TLS verified. Let's Encrypt certificates with automatic renewal.

At rest

AES-256 where applicable

Google Workspace, DigitalOcean infrastructure, and GitHub use provider-managed AES-256 encryption. Operator endpoint uses BitLocker XTS-AES 256 with TPM-backed key storage. Stripe handles all payment card data (PB never sees it).

Retention and deletion

Only what we need

AI tool abuse-control records: 90 days. AI tool PDFs (server cache): 7 days. Client uploaded documents: 90 days post-engagement. System logs: 30 days. Backups: 90-day rolling plus annual archives.

INCIDENT RESPONSE

If we confirm a security incident that affects your information, we notify you within 72 hours of confirmed exposure. Notification includes what happened, what information was involved, what we are doing about it, what you can do, and how to contact us with questions.

Severity-based response targets

SeverityDefinitionResponse time
Sev-1 CriticalActive compromise of client data with confirmed exposureImmediate
Sev-2 HighActive or imminent threat without confirmed exposureWithin 4 hours
Sev-3 MediumSuspicious activity without immediate threatWithin 24 hours
Sev-4 LowOperational anomaly with security implicationsWithin 72 hours

Notification channels: Direct email from [email protected], with a follow-up call within 24 hours of email for Sev-1 incidents.

To report a security concern: Email [email protected] with the subject line "Security." We acknowledge security reports within 24 hours. For responsible disclosure of a vulnerability you have identified in a PB tool, the same address applies; we do not currently operate a public bug bounty.

Our complete Incident Response Plan (severity definitions, response phases, contact list, communication templates) is downloadable in the Policies section below.

PRIVACY

We do not sell or share your personal information for advertising. We do not use cross-site tracking or third-party advertising cookies. We do not use your information to train artificial intelligence models, and we contractually prohibit our AI sub-processors from doing so.

You have the right to access, correct, delete, and export your personal information. California residents have additional rights under the CCPA. Residents of the EEA, UK, and Switzerland have additional rights under GDPR. We respond to privacy requests within 7 days of receipt and complete most requests within 30 days.

Full Privacy Policy: www.project-baseline.com/privacy

To submit a privacy request: Email [email protected] with the subject line "California Privacy Request," "GDPR Request," or "Privacy Request" as applicable.

POLICIES AND DOCUMENTATION

The complete PB security policy bundle is below. These are the documents we operate by; they are also available to clients and prospects on request.

Information Security Policy
Master policy | v1.0 | 2026-05-22
PDF
Acceptable Use Policy
v1.0 | 2026-05-22
PDF
Access Control Policy
v1.0 | 2026-05-22
PDF
Cryptography Policy
v1.0 | 2026-05-22
PDF
Data Retention Policy
v1.0 | 2026-05-22
PDF
Vendor and Sub-Processor Management Policy
v1.0 | 2026-05-22
PDF
Incident Response Plan
v1.0 | 2026-05-22
PDF
Backup Policy
v1.0 | 2026-05-22
PDF
Confidentiality and NDA Template
v1.0 | 2026-05-22
PDF
Security Awareness Training Record
Annual self-attestation log | 2026-05-22
PDF

Some clients and prospects may need versions with additional detail (controls evidence, audit logs, environment-specific configuration). Request extended versions by email; we will evaluate the request and respond within 7 days.

CONTACT

All security, privacy, and general inquiries route to a single email address. We acknowledge security reports within 24 hours and privacy requests within 7 days.

SECURITY AND PRIVACY

Email

[email protected]

Use subjects

"Security" | "California Privacy Request" | "GDPR Request" | "Sub-processor notifications"

GENERAL CONTACT

Email

[email protected]

Phone

(855) 616-6333

Website

www.project-baseline.com

LEGAL ENTITY

Name

Project Baseline Inc.

State of incorporation

Colorado

EIN

27-0639457

Principal place of business

Broadview, Illinois

Sole officer

Todd Walton, Principal