Attested by
David Wallace, CFO
By attesting, David Wallace confirmed this Security Assessment is accurate and complete to the best of their knowledge. This document may be relied upon by third parties in vendor due diligence. Any material misrepresentation may constitute a breach and expose the attesting organization to legal liability.
Attestation ID: 4c19c9c9-125d-4969-bd94-0c3873c0ae81 · Attested: March 1, 2026
Attested Security Profile
David Wallace, CFO
Attested By
March 1, 2026
Attestation Date
Disclosure: This page summarizes information self-reported and attested by Dunder Mifflin on March 1, 2026. TrustDossier, LLC does not independently audit or verify these responses.
Identity, access controls, and offboarding
MFA is enforced for all user accounts via Google Authenticator. No exceptions — even Michael had to set it up after the third password incident.
SSO is supported via Google Workspace. All employees authenticate through a single identity provider.
Google Workspace serves as our identity provider for all internal systems and customer-facing applications.
Role-based access control is enforced across all production systems. Access is granted on a least-privilege basis and reviewed quarterly.
Quarterly access reviews are in the process of being formalized. Ad hoc reviews have been conducted but a documented cadence was only established in Q1 2026. Jim keeps meaning to finish the spreadsheet.
Offboarding checklist covers access revocation, device retrieval, and credential rotation. Process completes within one business day of separation. Dwight personally escorts departing employees to the parking lot.
Encryption, storage, retention, and residency
We process business contact information, company profile data, and document content. We do not process payment card data, health records, or government IDs.
All data is stored in AWS us-east-1. No data leaves the United States. Scranton would be proud — 100% domestic.
Primary cloud provider is AWS. We also use Supabase (PostgreSQL) hosted on AWS infrastructure. No other cloud providers receive customer data.
All data at rest is encrypted using AES-256. Database encryption is managed at the infrastructure level via AWS RDS and Supabase.
All data in transit is encrypted using TLS 1.2 or higher. HTTP traffic is automatically redirected to HTTPS across all endpoints.
Retention policy is documented in our privacy policy. Automated enforcement at the infrastructure level is partially implemented — manual review is still required for edge cases.
Customer data deletion is supported via manual request process today. Automated self-service deletion is on the Q3 2026 product roadmap. Current SLA is 30 days.
All customer data is stored exclusively in US-based infrastructure. Data residency is enforced at the infrastructure level with no cross-border transfers.
AWS and Supabase are our primary subprocessors. Both maintain SOC 2 Type II certifications. Full subprocessor list is available upon request.
Code practices, scanning, and environment controls
We follow a structured SDLC including requirements review, development, code review, staging validation, and production deployment. All changes go through GitHub pull requests.
All code changes require peer review and approval before merging to main. No direct commits to production — not even from the CEO. Especially not from the CEO.
Automated security scanning runs on every pull request via GitHub Actions with Snyk integration. Critical findings block deployment.
Dependabot alerts are enabled but enforcement blocking deployments on vulnerable dependencies is not yet configured. Full implementation targeted for Q2 2026.
Production and staging environments are fully separated with distinct credentials, databases, and access controls. No production data is used in staging.
Application logging is in place. Automated alerting on anomalous patterns is partially configured — critical alerts are live but medium-severity thresholds are still being tuned.
All secrets and API keys are managed via AWS Secrets Manager. No credentials are stored in code or environment files in version control.
Scanning, patching, and penetration testing
Internal penetration testing was conducted in Q4 2025. Engagement with a third-party pen test firm is scheduled for Q3 2026 as part of our SOC 2 readiness program.
Automated vulnerability scanning runs weekly across all production infrastructure. Critical findings are triaged within 24 hours and resolved within 7 days.
Critical patches are applied within 7 days. High severity within 30 days. Patch SLA is documented and tracked in our security backlog.
Most recent internal penetration test was completed Q4 2025. External third-party test is scheduled for Q3 2026. Results from internal test are documented with all critical findings resolved.
Breach response, notification, and ownership
Incident response plan is documented and covers all major scenarios. Tabletop exercise has not yet been conducted — scheduled for Q2 2026. Toby offered to facilitate. We declined.
Breach notification procedures comply with applicable state laws and GDPR where applicable. Affected parties are notified within 72 hours of confirmed breach. We do not wait until the annual meeting to disclose.
Our CTO serves as the designated incident response owner with documented escalation paths and 24/7 on-call coverage.
Subprocessors, DPAs, and third-party risk
All data processing is handled internally or through vetted subprocessors. We do not engage undisclosed third parties for data processing.
Core subprocessors are documented. Formal quarterly review process is being established. Current list is accurate but review cadence is not yet on a fixed schedule.
Vendor security reviews are conducted informally today. A formal vendor risk assessment framework is being documented and will be in place by Q3 2026.
Data processing agreements are in place with all subprocessors. DPAs are reviewed annually and updated upon material changes to processing activities.
Regulatory frameworks and data subject rights
GDPR is not applicable. We do not offer services to EU residents and do not process personal data of EU data subjects.
As a publicly traded paper company, Dunder Mifflin is subject to SOX financial reporting requirements and FTC consumer protection regulations. HIPAA, FERPA, COPPA, and GLBA are not applicable to our business.
We serve customers across multiple states and comply with applicable state privacy laws. California CCPA/CPRA, Virginia VCDPA, New York SHIELD Act, and Texas TDPSA are the primary frameworks applicable to our operations. Additional states are monitored as new laws take effect.
Privacy policy is publicly available at our website and was last reviewed by legal counsel in Q1 2026. It covers data collection, use, retention, and user rights.
Data subject requests are handled via email to privacy@dundermifflin.com with a 30-day SLA. Formal ticketing and tracking system is being implemented in Q2 2026. Pam is currently the single point of contact.
Policies, training, continuity, and oversight
SOC 2 Type II is targeted for Q4 2026. Roadmap is documented with milestones assigned to owners. We are not winging it — unlike some paper companies we know.
Security awareness training is completed by all employees at onboarding and annually thereafter. Training covers phishing, password hygiene, and data handling. Completion is tracked and enforced.
Background checks are conducted for all full-time employees prior to start date through a third-party screening provider.
Business continuity plan is documented. Formal testing has not yet been conducted — first scheduled test is Q2 2026. Kevin has been asked not to be the primary contact during outages.
Automated daily backups run for all production databases via Supabase. Backups are retained for 30 days and stored in a separate AWS region.
Our CTO serves as the designated security owner with documented responsibilities including policy oversight, incident response, and vendor review.
Security contact is published at security@dundermifflin.com. Responsible disclosure policy is documented on our website.
Automated backups are running and verified daily. Formal restoration test is scheduled for Q2 2026 as part of our business continuity program. Has not yet been tested end-to-end.
Employee security policy is documented covering acceptable use, data handling, device management, and incident reporting. All employees sign at onboarding.
AI providers, data use, and output controls
We use OpenAI GPT-4 for internal productivity tooling and Anthropic Claude for document summarization. Neither provider receives customer data.
Customer data is explicitly excluded from AI training via contractual opt-outs with all AI providers. Data processing agreements are in place.
OpenAI retains inputs for 30 days for abuse monitoring only. Anthropic retains inputs for 30 days. No training on customer data in either case.
All AI-generated outputs are reviewed by a human before being used in any customer-facing context. This is a hard policy requirement.
Acceptable use policy for AI tools is documented and included in employee onboarding. Use of AI for customer data processing requires prior approval.
AI interaction logging is on the Q3 2026 roadmap. Currently relying on provider-level logging only. Internal structured logging has not yet been implemented.
Initial AI risk assessment completed for our two primary providers. Formal documentation and annual review cadence is in progress — expected completion Q3.
Basic content filtering is in place via provider API settings. Custom guardrails for our specific use cases are under development — targeted for Q3 2026.
Attestation Details
Attested by
David Wallace, CFO
Attestation date
March 1, 2026
Methodology
TrustDossier™ structured assessment covering 55 controls across 9 domains
Framework note
Developed by a legal and security team: a licensed attorney (CIPP/US) and a CISSP, CRISC, CDPSE certified CISO
Information is self-reported. TrustDossier, LLC does not independently audit or verify these responses.