Wasatch Solutions

Trust

Security posture.

How we protect the information clients trust us with — and how to report a vulnerability if you find one.

Scope. The practices below describe our standard engagement posture and the controls we apply to systems Wasatch Solutions operates directly. For client-operated systems, we work within the controls your environment already enforces and document any deviations during scoping.

Data handling

Client data is encrypted in transit (TLS 1.2+) and at rest in any system we operate. We minimize the data we copy or move — preferring access to client-controlled systems over transfers.

Access control

Least-privilege access. Personal accounts only — no shared credentials. SSO and MFA enforced on production systems and developer tooling. Credentials are managed in vaulted secret stores, never in source.

NDA by default

Every engagement starts with a mutual NDA before any client information is shared. Subprocessors handling client data are bound by equivalent confidentiality terms.

Audit and logging

Production changes are reviewed and version-controlled. Access to client systems is logged and reviewed. Incident response runbooks are maintained for the systems we operate.

Secure development

Code review on every change, dependency monitoring, SAST and dependency scanning in CI, and SBOM generation aligned with NIST SSDF practices.

Incident notification

If we become aware of an incident affecting client data, we notify the affected client without undue delay and per the controlling engagement agreement.

Responsible disclosure

Found something? Tell us.

We welcome reports of potential vulnerabilities affecting Wasatch Solutions websites or services. Please send details to security@wasatch-solutions.com. Where possible, include:

  • A description of the issue and the affected URL or system.
  • Steps to reproduce or a proof-of-concept.
  • Any logs, screenshots, or context that would help us investigate.

We commit to acknowledging reports within 3 business days and providing a substantive response within 10 business days. Please do not perform testing that could impact other users or the integrity of our systems. We will not pursue legal action against researchers acting in good faith under this policy.

Need a deeper security review for an engagement?

Subprocessor lists, sample DPAs, and additional documentation are available on request under NDA.

Request documentation