Standards security at we.Shi How we treat the systems our clients run on.

Security at we.Shi.

The systems we build for our clients run pieces of their business that have to work. Security and continuity are part of how we operate from day one.

What we commit to

  • Confidentiality, integrity, and availability of the data our clients entrust to us.
  • An audit-ready posture by default.
  • Honest answers when a vendor review or regulator comes asking.

How we operate

Policies

We maintain a documented set of security policies covering access control, asset management, incident response, vulnerability management, risk management, and vendor due diligence. They are reviewed and updated annually, and we are happy to walk a serious prospect through any of them under NDA.

Training

Every person on our team completes security awareness training at the start of their engagement and annually thereafter. Contractors are held to the same standard.

Access control

Strong password policies, mandatory multi-factor authentication, and regular access reviews. Production access is granted by exception, not by default. We aim to be the kind of vendor that leaves an obvious audit trail.

Data protection

Encryption in transit and at rest is the baseline. Specific technical safeguards are tuned to each engagement and the regulatory environment the client operates in.

Incident response

We maintain a documented incident response plan. Identification, containment, communication, and remediation are tracked, and a post-incident review is part of every closeout. Clients are kept in the loop, in plain language.

Vendor management

Third parties we depend on are assessed against our own standards before they enter the stack and reviewed on a regular cadence after.

Compliance

We are SOC 2 Type II certified. The audit covered the Trust Service Criteria for security, availability, and confidentiality, observed across a defined audit period by an independent third party. The full report is available to current and prospective clients under NDA.

Reporting a vulnerability

If you have found a security issue with a system we operate or a system we built, please email soc2 (at) we-shi.com. We respond promptly and in good faith.

Anything else

Questions or detailed posture discussions go to hello (at) we-shi.com.