Data Science & Engineering Experts, Inc. ("DSE," "we," "us," or "our") delivers AI, data engineering, and security-advisory services to mid-market and federal clients. Security and confidentiality are foundational to how we operate our own business and to how we handle the information our clients entrust to us during an engagement. This overview describes the controls we maintain today. It is a description of our current practices, not a warranty or contractual commitment; the terms governing any engagement are set out in the applicable master services agreement (MSA), statement of work (SOW), or data processing addendum (DPA).
We describe our controls at the category level. We design to widely recognized security frameworks and maintain a SOC 2-aligned control environment; a SOC 2 Type II examination is currently in progress with an independent auditor. This overview is organized around the SOC 2 Trust Services Criteria most relevant to a professional-services firm: Security, Availability, and Confidentiality.
Our internal controls are designed against the SOC 2 Trust Services Criteria, and a SOC 2 Type II examination is currently in progress with an independent auditor. We do not claim a completed attestation before it is issued, and we will update this page as our attestation status changes.
Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256) using industry-standard mechanisms provided by our cloud infrastructure.
Access to systems and client data is scoped to what a role requires and no more, and is reviewed periodically.
MFA is enforced on the accounts and administrative systems used to run our business and deliver engagements.
Credentials and API keys are held in a dedicated managed secrets service, never in source code.
Operational and security events are logged to support detection, investigation, and response.
Internal access follows the principle of least privilege and separation of duties. Administrative actions are restricted to authorized personnel. MFA is required for access to business-critical systems, and access is provisioned, reviewed, and de-provisioned as roles change or engagements conclude.
Traffic to and between our services is encrypted using TLS 1.2 or higher. Data stored in our managed infrastructure is encrypted at rest using AES-256 provided by our cloud infrastructure provider.
Credentials, tokens, and keys are stored in a dedicated managed secrets service with restricted access. Secrets are never committed to source control.
Our managed services run on established, enterprise-grade cloud infrastructure (AWS) with network-level isolation, segmentation controls, and a managed web application firewall on internet-facing services. We keep platform runtimes and dependencies patched to address known vulnerabilities.
We collect operational and security logs to detect, investigate, and respond to anomalies and potential incidents.
We follow secure-development practices, including code review, dependency review for known vulnerabilities, and separation of development, testing, and production environments.
We maintain an incident-response process covering detection, triage, containment, and remediation. In the event of a security incident affecting client data, we will notify affected clients without undue delay and as required by applicable law and the applicable engagement agreement, and cooperate with clients on their own notification obligations.
Specific availability commitments, if any, are defined in the applicable engagement agreement, not in this overview.
In most engagements, DSE acts as a service provider / processor handling data on behalf of, and under the instructions of, our clients. We access client data only to the extent necessary to perform the contracted services.
We request and retain only the data required to deliver the engagement.
Client data is used solely to provide the contracted services and is not used for any unrelated purpose.
Client materials are logically segregated and access-controlled per engagement.
On conclusion or termination of an engagement, client data is returned or deleted in accordance with the applicable agreement. Verified deletion requests are honored, and client data is purged within 30 days of engagement termination, except where retention is required by law (for example, tax, audit, or legal-hold obligations). Residual copies in encrypted backups age out per our backup-rotation schedule.
Where an engagement involves AI or machine-learning tooling, client content is processed solely to deliver the service. We do not use client content to train models. Any AI or inference providers we engage do so on terms that do not permit training on our clients’ content. Aggregated, de-identified analytics for service improvement are performed only where permitted by the engagement.
See our Responsible AI statement →Where we act as a service provider to financial-institution or other regulated clients, we support our clients’ compliance obligations (for example, under GLBA and FCRA in a service-provider context) as defined in the engagement agreement. We also maintain safeguards consistent with the New York SHIELD Act for the private information we handle.
Personnel. Personnel are bound by confidentiality obligations and receive security-awareness training. Access to client data is granted on a need-to-know basis.
To deliver our services we rely on a limited set of vendors, disclosed here by category rather than by name:
Our current, named list of subprocessors is available to clients under the DPA on written request. We impose contractual data-protection and confidentiality obligations on our subprocessors consistent with our own commitments.
DSE’s advisory and delivery experience includes work under the NIST Risk Management Framework (RMF), authority-to-operate (ATO) documentation, and CMMC-aware federal delivery. This reflects the frameworks our practitioners work within on client engagements. It is not a representation that DSE itself currently holds a CMMC certification or a specific ATO for its own corporate systems; where a certification or attestation is required for a given engagement, it is scoped and pursued as part of that engagement.
We welcome reports from security researchers, clients, and the public. If you believe you have found a security vulnerability affecting DSE, please contact us so we can investigate and respond promptly. Please do not publicly disclose an issue until we have had a reasonable opportunity to address it. We will not pursue researchers who engage in good-faith, authorized testing and who avoid privacy violations, service degradation, and data destruction.