Security and Data Handling Overview
Modern BizOps LLC
Last updated June 17, 2026
Version: security-2026-06-17 (effective June 17, 2026)
If you are in a regulated industry, your own rules (GLBA and SEC Regulation S-P for financial advisors, professional confidentiality duties for attorneys and accountants) require you to vet any vendor that touches your clients' data before you connect it. This document is built to make that vetting fast. It tells you what I access, where it goes, who else touches it, and what happens if something goes wrong.
The short version
I connect to your business systems on a read-only basis wherever the integration allows. I use what I pull to build your audit and recommendations, and nothing else. I do not sell it, I do not use it to train AI models, and I delete or return it when we are done. Everything below is the detail behind those four sentences.
1. How I access your systems
When you connect a tool, you authorize access through that provider's standard OAuth flow. I never see or store your passwords for those systems. Where the provider offers read-only scopes, I request read-only, so I can analyze your data but cannot change anything in your systems. You can revoke my access at any time from your own account with that provider, or by disconnecting the integration in the portal.
For a few tools that do not offer OAuth, you provide an API key or upload a CSV export instead. Those follow the same rules: used only for your audit, stored securely, deleted on request.
2. What data I actually pull
I pull only what the audit needs. The exact fields depend on which systems you connect. As a guide:
| System type | What I read | What I never touch |
|---|---|---|
| CRM (e.g. HubSpot) | Deals, pipeline stages, contact and company records, activity history | Anything you do not connect |
| Support / ticketing | Ticket volumes, response times, categories | Message bodies beyond what's needed for metrics |
| Marketing / email | Campaign and engagement metrics | Subscriber lists beyond your instruction |
| Financial (e.g. QuickBooks) | Revenue, invoice, and margin figures | Bank credentials; I see reports, not your bank login |
| Scheduling / project tools | Meeting and task data for process analysis | Personal calendar content outside scope |
If a system would expose your own clients' nonpublic personal information, you can scope the connection down, use a limited account, or skip that integration for a trial. I would rather analyze less than hold data you are not comfortable sharing.
3. Where your data lives and how it is protected
- Hosting: The Platform runs on Render, a US-based cloud provider, in US data centers.
- Encryption: Connections are encrypted in transit using TLS. The credentials and access tokens for your connected systems are encrypted at rest using AES-256-GCM. The Platform runs on Render, which encrypts stored data at rest.
- Access control: On my side, access is limited to me. I do not have a team browsing your data. Access to credentials and connected-system tokens is restricted and stored securely.
- Separation:Each client's data is logically separated within the Platform.
- Credentials: OAuth tokens and API keys are stored encrypted and used only to retrieve your data for your audit.
4. Subprocessors (who else touches the data)
I use a small set of vendors to run the Platform. Each is bound by terms at least as protective as the commitments in my DPA.
| Subprocessor | Role | Notes |
|---|---|---|
| Render | Cloud hosting | US-based; hosts the application and database |
| Anthropic | AI analysis | Business/API tier; your data is not used to train models |
| OpenAI | AI analysis | Business/API tier; your data is not used to train models |
| Google (Gemini) | AI analysis | Business/API tier; your data is not used to train models |
| HubSpot | CRM and marketing for Modern BizOps | Holds your contact/billing details, not your connected business data |
| Stripe | Payment processing | Handles card payments; I do not store full card numbers |
I keep this list current and give notice before adding a new subprocessor that would process your data.
5. Artificial intelligence
Part of the audit uses AI to analyze your data and draft recommendations. I send data to the AI providers above through their business or enterprise API tiers. Under those tiers' terms, your data is not used to train their models, and they may use it only to return results to me. I do not feed your data into consumer AI tools, and I do not use it to improve any model.
6. Data retention and deletion
I keep your data only as long as I need it to deliver your engagement. When we finish, or earlier if you ask, I return or delete your data within 30 days, your choice. The only exceptions are routine backups (which roll off on their normal cycle) and anything I am legally required to keep. I will confirm deletion in writing if you want it.
7. If something goes wrong
If I ever discover a security incident affecting your data, I will tell you without undue delay after I become aware of it. I will tell you what happened, what data was involved, and what I am doing about it, and I will cooperate with your response. I aim to notify you quickly enough to help you meet your own notification deadlines, including the customer-notification clock under SEC Regulation S-P.
8. What I commit to in writing
These practices are not just marketing. The binding versions live in:
- Terms of Service (https://modernbizops.com/terms). The overall agreement.
- Data Processing Agreement (https://modernbizops.com/dpa). How I handle data that contains personal information, with the GLBA/Reg S-P, CCPA/CPRA, and confidentiality commitments spelled out.
- Privacy Policy (https://modernbizops.com/privacy). How I handle personal information generally.
If your compliance team has a security questionnaire, send it over. I would rather answer twenty questions up front than have you hesitate to connect the systems that make the audit worth doing.
Questions: access@bradleydewet.com