Seismic / Security
Trust · How we handle your data

Security at the studio.

What happens to the screen-recordings, credentials, and reference materials you hand us during an engagement — and the standing answers to the questionnaires procurement always sends.

Last reviewed · 2026-05-03
Illustration: an editorial line drawing of a steel cabinet with neatly labeled drawers; one drawer slightly open to show files inside, with an ochre key resting on top.

Our posture

Seismic is a small studio. We deliberately keep the surface area for client data narrow: short engagements, scoped access, working materials destroyed at handover unless a retainer extends the relationship. Most of what we touch is not regulated data — screen recordings of software UI, brand assets, working notes — but we handle it as if it were, because procurement reviewers are right to assume the worst.

We are not the right vendor for engagements that require us to process PHI, PCI, or production customer PII at scale. If your training material would expose us to that data, tell us in discovery so we can scope around it (sandbox/seed environments) or refer you to a larger firm with the certifications to do it correctly.

Access & credentials

  • We prefer dedicated, time-bounded accounts on your system over shared logins. Engagement-scoped accounts get disabled at handover.
  • Credentials are stored in a reputable password manager, gated behind MFA, and shared with engagement team members only on need-to-know. Specific tooling is disclosed on request to clients during procurement.
  • SSO/SAML provisioning into your IDP is preferred when available. Specific IDPs supported are confirmed during scoping.
  • We do not store client credentials in repository code, in shell history, in screenshots committed to drives, or in any AI/LLM tool.

Data handling

  • Source material in flight — screen recordings, brand assets, reference docs — lives in encrypted storage scoped to the engagement, accessible only to the assigned team. Storage location is confirmed during scoping (typically a client-supplied SharePoint/Drive folder, or an encrypted bucket we provide).
  • Editing workstations are full-disk encrypted, screen-locked when idle, and patched on the OS vendor's release cadence.
  • Backups of in-flight engagement files are encrypted and retained for the duration of the engagement; specific retention is set in the SOW.
  • At handover, we transfer the finished library (MP4s, captions, SCORM packages) to you and destroy our working copies of source material on a schedule set in the SOW, unless a retainer agreement keeps them in active use.
  • AI tools. We do not feed client source material into general-purpose LLM endpoints or any tool that trains on inputs. If a specific tool is required and it processes client material, it is disclosed in the SOW.

Subprocessors

The vendor list that materially touches client data is confirmed per engagement and listed in the SOW or DPA. Cloudflare (site hosting, edge analytics) and Microsoft 365 (email) are constants. Material additions during an engagement are communicated to active clients in advance via the engagement contact.

Certifications

Seismic is not currently certified to SOC 2 or ISO 27001. We are happy to fill out CAIQ, SIG-Lite, or vendor-specific questionnaires during procurement. For a copy of our most recent answers or evidence package, write to hello@seismic-technologies.com.

NDAs, MSAs, SOWs

We sign client-paper NDAs as a matter of routine. We have our own one-page mutual NDA available if you'd prefer to start with ours. MSAs and SOWs are negotiated per engagement; the SOW is generated from the discovery output, so the document procurement reviews matches the scope you saw.

Standard MSA terms (liability cap convention, IP ownership, retention, insurance) are documented in our standard paper, available on request.

Incident response

If we discover a security incident affecting client data, we will notify the engagement contact without undue delay, share what we know and what we are doing about it, and provide a written post-mortem once the incident is closed. Specific notification windows are set in the DPA. Material incidents are also disclosed to active clients via their engagement contact regardless of which engagement was directly affected.

Reporting & contact

For security questions, vendor questionnaires, or to report a vulnerability in this site, write to hello@seismic-technologies.com with "Security" in the subject line. We respond to vulnerability reports within one business day and ask reporters to give us a reasonable window to fix issues before public disclosure.

A standing Data Processing Addendum is available on request via hello@seismic-technologies.com. See also: privacy policy, accessibility statement.