Trust Profile — Sylvan Assurance, LLC
Worked-example notice. This document serves two purposes:
1. A demonstration of the TrustReady Pro Trust Profile Generator Template filled out for a real organisation, end to end, every bracket resolved.
2. The source material for the eventual
/securitypage atsylvanassurance.com, once the site is live.Sylvan Assurance is deliberately a slightly unusual subject for a Trust Profile — we are a small LLC selling self-contained downloadable toolkits, not a multi-tenant Software-as-a-Service product. That makes this a useful test of the template: the structure flexes to accommodate "we don't operate a SaaS, here's what we actually do" without distorting the format.
Pre-publication checklist (worked)
| Check | Status |
|---|---|
| Every claim in the Profile is currently true. | Verified 2026-05-30 |
| Specific dates (formation, last reviews) are current. | Verified 2026-05-30 |
All [bracketed placeholders] have been filled with real values. | Done — no bracketed placeholders remain below this line |
| The security contact email exists and is monitored. | support@sylvanassurance.com — verified deliverable 2026-05-26 |
| The page has been reviewed by an executive sponsor. | Single-member LLC — founder is both author and executive sponsor |
| Legal counsel has reviewed if you are publicly making contractual commitments. | This Profile is informational only; specific contractual commitments live in terms.html, refund.html, and privacy.html, which a Vermont-licensed attorney will review pre-launch |
Trust Profile — Sylvan Assurance, LLC
Page metadata for the published version:
Page title: Sylvan Assurance — Security and Trust
URL: https://sylvanassurance.com/security
Last reviewed: 2026-05-30
Review cadence: Quarterly, and after any material control change.
Contact: support@sylvanassurance.com
1. Company at a glance
Sylvan Assurance, LLC is a Vermont limited liability company that publishes downloadable compliance and security toolkits for small product teams, fractional Chief Information Security Officers, Managed Service Providers, and incident-response operators. We do not operate a multi-tenant Software-as-a-Service product. Our deliverables are self-contained PDF and Excel files that customers download once and own forever.
Our corporate website is a static site served from Cloudflare Pages. Our payment processing is handled by Lemon Squeezy as Merchant of Record. Our free-guide email is handled by our email-service provider (see §5).
Because we sell downloadable files rather than operating a service that processes customer data, the questions a typical Trust Profile answers ("where is my data," "who can access it," "what is your uptime commitment") apply differently to us than they would to a SaaS vendor. The sections below answer them in the form that actually fits our model.
2. Compliance and certifications
#### Currently certified or attested
Sylvan Assurance holds no third-party certifications at this time. We are a small, early-stage company; the volume and customer profile that would justify the cost of a Service Organisation Control 2 audit, an International Organization for Standardization 27001 certification, or equivalent are not yet present. We will not claim certifications we do not hold.
#### Aligned without certification
- General Data Protection Regulation (Regulation (EU) 2016/679). Our processing as a controller is limited to free-guide email addresses (opt-in) and support correspondence. We act as our own Data Protection Officer for the moment given the volume. Our Privacy Policy at
sylvanassurance.com/privacydescribes our processing in detail. Data subject rights requests can be made tosupport@sylvanassurance.com. - National Institute of Standards and Technology Cybersecurity Framework — Identify and Protect functions. Our infrastructure choices (Cloudflare Pages, server-side analytics, no client-side tracking, no behavioural analytics, no customer data stored on our infrastructure) reflect a deliberate Identify-and-Protect-first posture. Detect, Respond, and Recover functions are limited in scope because there is very little to detect, respond to, or recover from — no customer database, no operational service, no production runtime executing customer code.
- Privacy-first by design. Our distinctive stance: every free assessment we publish runs entirely in the visitor's browser. We never receive assessment answers. This is not a marketing claim that can be quietly walked back; it is enforced architecturally. The assessment pages have no telemetry endpoints, no analytics scripts, no form submissions for the answer data, and (by Content Security Policy) no permitted external script sources. The only data we collect is the email address a visitor optionally provides to receive the free guide.
#### Frameworks we have evaluated and explicitly do not align to
We are transparent about what we are not doing.
- Software Bill of Materials (SBOM) production for our toolkit content. Our deliverables are PDFs and Excel files, not software. A Software Bill of Materials does not meaningfully apply.
- Continuous penetration testing. Our public attack surface is a static website. We rely on Cloudflare's infrastructure protections and our payment processor's controls. We will reassess if our architecture grows beyond static content.
3. Identity, access, and authentication
We do not operate a customer-facing authenticated product. The questions in this section therefore apply to our internal administrative access.
All administrative access to Sylvan Assurance systems — domain registrar, Cloudflare account, payment processor account, email-service provider account, corporate email — requires Multi-Factor Authentication using either a hardware security key conforming to FIDO2 / WebAuthn (preferred) or a Time-based One-Time Password application. Short Message Service one-time passwords are explicitly disabled where the provider allows it.
We use a password manager with end-to-end encrypted storage for credentials. Recovery codes are stored offline.
Customer authentication is handled by our payment processor (Lemon Squeezy) for purchase flows and by our email-service provider for any account-management flows associated with email subscriptions. Sylvan Assurance does not authenticate customers directly because there is no Sylvan Assurance system to authenticate against.
Access reviews are conducted at every quarter-end. Given the small team, the access review consists of reviewing all active credentials, the providers' access logs, and any active sessions on each platform. Onboarding and offboarding of additional contributors (none today) would follow a documented workflow before any such contributor is added.
4. Data handling and encryption
This section answers what we do with the small amount of data we collect.
#### What we collect
- Email addresses opted in via the free-guide flow after a visitor completes a free assessment and asks to receive the related free guide.
- Purchase information (name, email address, billing country, order reference) for paid-toolkit purchases, processed by Lemon Squeezy as Merchant of Record.
- Support correspondence sent to
support@sylvanassurance.com. - Aggregate website traffic counts (page views and country at country level, with no individual identification) via Cloudflare's server-side analytics — no JavaScript injection, no cookies.
#### What we explicitly do not collect
- Free-assessment answers. Every free assessment runs entirely in the visitor's browser. Answers are scored locally and displayed to the visitor. They are never transmitted to us or to any third party.
- Behavioural analytics. We do not use Google Analytics, Mixpanel, Heap, FullStory, Hotjar, or any equivalent client-side analytics tool.
- Tracking cookies. The site sets no advertising or behavioural-tracking cookies. The only cookies set are strictly-necessary cookies in the payment-processor checkout flow.
- Cross-site tracking. We do not embed pixels, web beacons, or scripts that would allow third parties to track visitors across other sites.
- Sensitive categories. We do not collect biometric data, government-issued identifiers, racial or ethnic origin, religious beliefs, political opinions, trade-union membership, sexual-orientation data, criminal-record data, or health data.
- Data about children. Our services are not directed at, and not knowingly used by, individuals under the age of 16.
#### Encryption at rest
Lead-magnet email addresses are stored at our email-service provider. The provider encrypts subscriber data at rest using Advanced Encryption Standard 256-bit. Purchase information is stored at Lemon Squeezy and encrypted at rest per their documented controls. Support correspondence is stored at our mailbox provider with mailbox-level encryption.
We do not operate our own database, file server, or object store. There is no Sylvan Assurance-controlled at-rest customer data outside the three provider systems above.
#### Encryption in transit
All web traffic to sylvanassurance.com is served over Transport Layer Security version 1.2 or higher; Transport Layer Security 1.3 is supported and preferred. HTTP Strict Transport Security is enforced. Connections to our providers' Application Programming Interfaces are similarly encrypted.
#### Data retention
- Lead-magnet email addresses. Retained while the subscriber remains opted in. Removed within seven days of unsubscribe.
- Purchase records. Retained for seven years to satisfy US tax-record requirements. Personally identifying portions can be anonymised on request once the regulatory retention window is satisfied.
- Support correspondence. Retained for three years from last contact, then deleted.
5. Hosting and sub-processors
#### Hosting
The corporate website at sylvanassurance.com is hosted on Cloudflare Pages. Pages are served from Cloudflare's global edge. No origin server is operated by Sylvan Assurance.
#### Sub-processors
We maintain a current sub-processor list publicly because we have nothing to hide and because the list is short.
| Sub-processor | Service | Data categories processed | Jurisdiction | Agreement |
|---|---|---|---|---|
| Cloudflare, Inc. | Website hosting, edge delivery, server-side analytics | Aggregate request metadata (no personal data identifiable beyond country) | United States | Cloudflare Subscription Agreement + Data Processing Addendum |
| Lemon Squeezy (LMSQUEEZY LLC) | Payment processing as Merchant of Record | Purchase information (name, email, billing country, order reference) | United States | Lemon Squeezy Merchant Agreement; Lemon Squeezy is itself the Merchant of Record and handles US sales tax, EU/UK VAT, and AU/CA GST collection and remittance |
| Email-service provider (selection pending; current candidate: MailerLite) | Lead-magnet email storage and delivery; lifecycle-email automation | Email address; engagement metadata (open and click events) | Selection-dependent (MailerLite is EU-based) | Provider-standard Data Processing Agreement |
Mailbox provider (current: iCloud+ for support@sylvanassurance.com) | Inbound and outbound support email | Email contents and metadata | United States | Apple iCloud terms |
Material changes to the sub-processor list (additions, removals, or jurisdiction changes) will be communicated via this Trust Profile with a 30-day pre-change notice when reasonably possible.
6. Incident response
Sylvan Assurance maintains a written Incident Response Plan adapted from the First 4 Hours Incident Response toolkit we publish — a useful internal dogfooding exercise that has surfaced two minor improvements to the toolkit itself, both folded back into the Solo Edition.
The plan covers detection, containment, eradication, recovery, and post-incident review. Given the small team, the incident commander role, the communications role, and the technical lead role are held internally, with documented escalation paths to: a Vermont-licensed attorney for legal questions; the relevant sub-processor's incident-response team for sub-processor-side incidents; and the General Data Protection Regulation supervisory authority for personal-data breaches affecting European Union data subjects.
The plan is reviewed annually and tabletop-tested annually. The next scheduled tabletop is 2027-05-30 or upon the first real incident, whichever comes first.
#### Breach notification commitment
We commit to notifying affected customers without undue delay following confirmation of a security incident affecting their data. For customers with data subjects in the European Union, we will notify the relevant supervisory authority within the General Data Protection Regulation Article 33 72-hour window where the regulation requires it. The General Data Protection Regulation 72-Hour Battle-Card that we publish (free) describes our internal procedure as well as the regulatory procedure — they are the same procedure.
Because Sylvan Assurance does not host customer data on its own infrastructure, the most plausible breach scenarios involve our sub-processors. In every sub-processor case, our role is to receive the sub-processor's incident notification, assess the impact on Sylvan Assurance customers, and notify those customers (and any applicable regulator) accordingly.
#### Security incident reporting
Researchers, customers, and others can report potential security issues to support@sylvanassurance.com with the subject line "Security report". We acknowledge security reports within two business days and follow a coordinated disclosure process. Reasonable disclosure timelines (90 days is our default) will be agreed up-front. We will publicly credit the reporter when reasonable and the reporter wants to be credited.
We do not currently offer monetary rewards for security reports. Credit and a hand-written thank-you are what we can offer at this stage of the business.
7. Vulnerability and security testing
#### Penetration testing
We do not currently engage a third party for penetration testing of the static corporate website. The attack surface is limited (a static site behind Cloudflare with no server-side application code under our control) and the cost-benefit calculus does not currently favour engaging a penetration-testing firm. We will reassess on each anniversary of the LLC formation or upon any material change to the architecture (for example, introducing a dynamic application).
#### Dependency scanning
The corporate website has no JavaScript dependencies and no build pipeline beyond a static wrangler pages deploy. There is no dependency tree to scan.
Our internal toolchain (Python, Node.js for utility scripts) is kept current and is patched within seven days of any critical vulnerability disclosure affecting an actively used component.
#### Infrastructure scanning
Our infrastructure footprint is the static-site bucket on Cloudflare Pages, our domain registrar, and our provider accounts. Cloudflare publishes its own security and compliance posture (Service Organisation Control 2, International Organization for Standardization 27001, others) and we rely on those for the underlying infrastructure. We periodically review our Cloudflare account settings against the documented hardening checklist Cloudflare publishes for Pages projects.
8. Business continuity
Our service is the availability of sylvanassurance.com and the customer-download links for purchased toolkits.
| Service | Recovery Time Objective | Recovery Point Objective |
|---|---|---|
| Corporate website (Cloudflare Pages) | Inherits Cloudflare's published availability target; site can be redeployed from source within 30 minutes if necessary | Negligible (the entire site source lives in version control; the "data" being recovered is just the static site) |
| Customer-download links for purchased toolkits | Inherits Lemon Squeezy's published availability target; alternative download mechanism (direct email delivery on request) can be operated manually if Lemon Squeezy is unavailable | Negligible (the downloadable files are static and replicable) |
| Lead-magnet email delivery | Inherits email-service-provider availability; manual delivery fallback available | One business day (any in-flight automation may need to be re-triggered manually) |
Because no Sylvan Assurance system holds the only copy of any customer data, traditional Recovery Point Objective calculations do not apply in the usual sense.
Backups: the corporate website source is held in encrypted version control on both the founder's laptop (with full-disk encryption) and an encrypted off-machine backup. Toolkit-source markdown files and build scripts are similarly backed up. Lead-magnet email-list backups are exported from the email-service provider monthly and stored in the same encrypted backup.
9. Security contact
For security questions, vulnerability reports, or requests for additional detail:
Email: support@sylvanassurance.com (subject: "Security report")
Vulnerability Disclosure Policy: Coordinated disclosure with a default 90-day timeline. Public credit on request. No monetary rewards at this stage.
Response commitment: We acknowledge security reports within two business days. Severity classification within five business days. Update intervals at most 14 days.
For procurement and questionnaire requests, contact support@sylvanassurance.com. We will respond using the same TrustReady-format answer-bank entries that we sell to others; this is itself a useful demonstration of how the toolkit performs in practice.
Trust portal access (optional)
We do not currently operate a separate Non-Disclosure Agreement-gated trust portal. Everything we can reasonably say publicly is said above. If a prospective customer needs additional detail that is not appropriate for the public document, contact support@sylvanassurance.com and we will work out the right form for the additional disclosure on a case-by-case basis.
Recent updates (change log — most recent five)
- 2026-05-30: Initial Trust Profile published; first public document of Sylvan Assurance's security posture. Built as a worked example of the TrustReady Pro Trust Profile Generator Template.
- 2026-05-30: Sub-processor list finalised at four entries (Cloudflare, Lemon Squeezy, email-service provider, mailbox provider).
- 2026-05-30: Internal Incident Response Plan adapted from First 4 Hours Solo Edition; two improvements to the published Solo Edition resulted.
- 2026-05-28: Privacy Policy drafted and published at
sylvanassurance.com/privacy.
Footer
Trust Profile last reviewed: 2026-05-30
Next scheduled review: 2026-08-30
Document owner: Founder, Sylvan Assurance, LLC (no separate Chief Information Security Officer role at this scale)
Executive sponsor: Founder, Sylvan Assurance, LLC
This Trust Profile is a public statement of Sylvan Assurance's security posture as of the last review date. It is informational and not contractual; specific contractual commitments are made in our Terms of Use, Refund Policy, and Privacy Policy, all published on
sylvanassurance.com. Where we reference frameworks (General Data Protection Regulation, National Institute of Standards and Technology Cybersecurity Framework) we are describing alignment rather than certification; we hold no third-party certifications at this time and will not claim any that we do not hold.
Worked-example notes — what this exercise revealed
Three observations from completing the template against ourselves:
- The "we do not operate a SaaS" answer is a legitimate use of the template. The template flexes to accommodate organisations whose architecture does not match the typical SaaS pattern. Section 4 ("Data handling and encryption") in particular is where the difference shows up — for us, the relevant detail is what we do not collect, not what we encrypt.
- The sub-processor list is shorter than expected. Four entries. Publishing it publicly (rather than gating it behind a Non-Disclosure Agreement) is consistent with the brand stance and removes friction from procurement conversations.
- The Incident Response Plan dogfooding produced two product improvements. Adapting the First 4 Hours Solo Edition for internal use surfaced (a) an unclear instruction about evidence-preservation when the incident affects a sub-processor (now clarified in v2 of the Solo runbook); and (b) a missing entry in the escalation tree for "incident at the payment processor" (now added). Both improvements folded back into the published Solo Edition.
This worked example uses the TrustReady Pro Trust Profile Generator Template (Source: TrustReady/Source/tier-3-pro/2026-05-30-pro-trust-profile-generator-template.md). The template is shipped in the TrustReady Pro Edition ($199). The Trust Profile Playbook (Source: TrustReady/Source/tier-3-pro/2026-05-30-trust-profile-playbook.md) covers the strategy and maintenance approach.