Posture and disclosure.
Last updated 2026-04-19
Our posture
Alvanet's internal practice follows a defense-in-depth model informed by NIST SP 800-53 and the CISA Cross-Sector Cybersecurity Performance Goals. Identity, endpoint, and access controls are deployed across the team; we review them quarterly. We don't claim certifications we don't hold — if SOC 2 or ISO 27001 attestation is part of your due-diligence, ask and we'll walk you through the current state honestly.
This website
- Deployed over TLS only; HSTS with preload enabled in production.
- Content-Security-Policy restricts script sources to this origin plus pinned vendor files.
- No third-party analytics, tag managers, or advertising tech.
- AI Maturity Assessment runs entirely client-side until you choose to email results.
Responsible disclosure
If you believe you've found a vulnerability, please email help@alvanetwebpr.com with "Security disclosure" in the subject. Include reproduction steps and, if you know it, the fix. We respond within two business days and commit to a good-faith, no-retaliation process.
A machine-readable contact file is available at
/.well-known/security.txt.
What we run for clients
For managed-IT and compliance engagements, controls are scoped in a signed Statement of Work. Baseline expectations: documented access policy, MFA on everything, encryption at rest, regular review of vendor access, and an incident response runbook your team co-owns.
Questions about a specific engagement's security posture should be directed to your primary Alvanet contact.