Privacy & Data Protection

StackExpected is committed to protecting your privacy and the security of your data. This page outlines how we collect, use, store, and protect information, along with our full suite of security documentation.

1 Overview & Scope

StackExpected ("we", "our", "us") is a web design and development company serving small businesses, schools, nonprofits, community organizations, and families. This Privacy & Data Protection Policy applies to all information collected through our website, services, quote request forms, client portals, and any other platforms we operate or manage on behalf of clients.

We act as both a data controller (for information we collect about our own operations and prospective clients) and a data processor (for information we handle on behalf of our clients when we build and manage their websites and systems). This dual role means we have responsibilities under applicable data protection laws in both capacities.

This policy is part of our broader Cybersecurity Policy Framework, aligned to the NIST Cybersecurity Framework 2.0, and incorporates industry best practices for Cloud Access Security Broker (CASB) operations as defined by Gartner and the Cloud Security Alliance.

2 Data We Collect

We collect information in the following categories:

Information You Provide

Full name, email address, phone number, organization name, project requirements, budget range, timeline preferences, and any additional notes submitted through our quote request form, contact forms, or during consultations.

Client Project Data

Website content, customer databases, document systems, user accounts, and any data you provide for inclusion in websites or web applications we build and manage on your behalf.

Automatically Collected

IP address, browser type, operating system, referring URLs, pages visited, time spent on pages, and click patterns collected through analytics tools and server logs.

Communication Records

Email correspondence, call notes, meeting summaries, and project communication records maintained for service delivery and quality purposes.

Payment Information

Billing records and transaction data processed through third-party payment processors. We do not store full credit card numbers or sensitive payment credentials on our systems.

Device & Network Data

Information about devices used to access our services, including device identifiers, screen resolution, and network connection details for security monitoring purposes.

3 How We Use Your Data

We use collected information for the following purposes:

Project Delivery & Service Provision - To design, develop, launch, and maintain websites and web applications as agreed in our client contracts.
Quote & Proposal Preparation - To prepare detailed project proposals based on your requirements submitted through the quote request form.
Client Communication - To respond to inquiries, provide project updates, and maintain ongoing communication throughout the engagement.
Hosting & Infrastructure - To provide reliable hosting services including SSL certificates, daily backups, uptime monitoring, and performance optimization.
Security & Fraud Prevention - To protect our systems, detect and prevent unauthorized access, and ensure the integrity of our services.
Legal Compliance - To comply with applicable laws, regulations, and contractual obligations.
Service Improvement - To analyze usage patterns and improve our website, services, and user experience (anonymized and aggregated data only).
Marketing (opt-in only) - To send newsletters, updates, and promotional materials. You must explicitly opt in — we will never add you automatically.

4 Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data only in the following circumstances:

Service Providers - We engage trusted third-party vendors for hosting, payment processing, email delivery, analytics, and project management. All providers are bound by data processing agreements and contractual security obligations.
Client Requirements - When building systems for clients, we may need to integrate with their existing tools and platforms (CRM, ERP, payment gateways). Data flows to these systems are configured per client specifications.
Legal Obligations - We may disclose information when required by law, court order, or government request. We will challenge overly broad requests where legally permissible.
Business Transfers - In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected users of any change in data handling practices.

5 Data Retention & Deletion

We retain personal data only as long as necessary to fulfill the purposes for which it was collected:

Quote Request Data

Prospective client information not converted to projects is retained for 12 months, after which it is securely deleted unless you consent to longer retention for marketing purposes.

Active Client Data

Client data is retained for the duration of the engagement plus 12 months for support purposes. Upon project completion or client request, data is returned or securely deleted.

Financial Records

Billing and transaction records are retained for 7 years as required by tax and accounting regulations.

All deletion is performed using secure methods: database records are permanently removed, encrypted backups are overwritten in the next backup cycle, and physical media is destroyed using NIST 800-88 compliant procedures.

6 Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, and recipients of your data.

Right to Rectification

Request correction of inaccurate or incomplete personal data. We will respond to rectification requests within 30 days.

Right to Erasure

Request deletion of your personal data where there is no legal obligation to retain it. This right is subject to applicable legal and contractual obligations.

Right to Portability

Request your data in a structured, machine-readable format for transfer to another service provider.

Right to Restrict Processing

Request that we limit how we use your data while a dispute about its use is being resolved.

Right to Object

Object to processing based on legitimate interests or direct marketing. We will cease processing unless we demonstrate compelling legitimate grounds.

To exercise any of these rights, contact us at support@stackexpected.com. We will respond within 30 days.

7 Security Measures

We implement industry-standard technical and organizational measures to protect your data:

Encryption: AES-256 encryption for data at rest (databases, backups, disk), TLS 1.2+ for data in transit (web traffic, API calls, file transfers).
Access Control: Multi-factor authentication (MFA) for all systems, role-based access control (RBAC), quarterly access reviews, least-privilege principles.
Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS mitigation, DNS filtering, network segmentation.
Application Security: Web Application Firewall (WAF), security headers (HSTS, CSP, X-Frame-Options), regular vulnerability scanning, secure coding practices (OWASP Top 10).
Backup & Recovery: Daily automated encrypted backups, quarterly restore testing, off-site storage, disaster recovery procedures.
Monitoring: 24/7 server health monitoring, file integrity monitoring, SSL certificate monitoring, centralized log aggregation and analysis.
Personnel: Security awareness training (quarterly), secure coding training (semi-annually), phishing simulations, background checks for team members with data access.
Physical Security: Office access controls, workstation auto-lock (5 min), encrypted portable devices, clean desk policy.

8 CASB (Cloud Access Security Broker) Policies

As a web development company that relies heavily on cloud services, StackExpected implements CASB-style controls to secure our cloud environment. A Cloud Access Security Broker acts as an intermediary between our organization and cloud service providers, enforcing security policies, monitoring activity, and protecting data across all cloud applications.

8.1 SaaS Application Security

All SaaS applications used by StackExpected are subject to the following controls:

Application Inventory: All cloud applications are inventoried and classified by sensitivity. Each application is assessed for security posture before adoption and reviewed annually thereafter.
Authentication Integration: All SaaS applications must support SSO (Single Sign-On) or MFA. Password-only authentication is not permitted for applications containing sensitive data.
API Security: API connections to SaaS applications use OAuth 2.0 or equivalent token-based authentication. API keys are rotated quarterly and stored in encrypted credential managers.
Data Classification in SaaS: Data uploaded to cloud applications is automatically classified based on content sensitivity. Restricted data (PII, payment data) is flagged and subject to additional access controls.
Shadow IT Prevention: We monitor for unauthorized cloud application usage through network traffic analysis and DNS monitoring. Unauthorized applications are reported to the Lead Developer for assessment.

8.2 IaaS & PaaS Security

Infrastructure and platform services (hosting, cloud databases, CDN) are secured through:

Infrastructure-as-Code (IaC): All cloud infrastructure is defined and version-controlled. Infrastructure changes are reviewed and approved before deployment.
Cloud Security Posture: Regular automated scans of cloud configurations for misconfigurations, public exposure, and compliance violations.
Network Isolation: Cloud resources are deployed in isolated network segments (VPCs/VNet) with strict security group rules. Public-facing resources are placed in DMZ subnets.
Logging & Auditing: All cloud provider activity logs are aggregated and monitored. CloudTrail-equivalent logging is enabled for all cloud accounts.

8.3 Data Governance in the Cloud

Data Residency: Client data is stored in data centers located in jurisdictions that provide adequate data protection. Cross-border data transfers use Standard Contractual Clauses (SCCs) or equivalent mechanisms.
Data Labeling: All data in cloud environments is labeled with classification levels (Public, Internal, Confidential, Restricted). Automated policies enforce handling requirements based on labels.
Cloud Data Loss Prevention: Automated rules detect and block unauthorized data exfiltration from cloud applications, including bulk downloads and unauthorized sharing.
Multi-tenancy Controls: Client data hosted on shared infrastructure is logically isolated using separate databases, schemas, and access controls. Multi-tenant applications enforce strict tenant separation.

9 SaaS Security Posture Management (SSPM)

StackExpected maintains a SaaS Security Posture Management program to continuously assess and improve the security configuration of all cloud applications we use or manage:

Configuration Assessment

Regular automated scans of SaaS application settings to identify insecure configurations, excessive permissions, and policy violations. Critical misconfigurations are remediated within 48 hours.

Permission Governance

Continuous monitoring of user permissions across all SaaS applications. Administrative privileges are limited to designated personnel and reviewed quarterly. Excessive permissions are automatically flagged.

Application Risk Scoring

Each SaaS application receives a risk score based on its security configuration, data access level, and provider security posture. High-risk applications trigger enhanced monitoring and review.

Third-Party Risk Assessment

All SaaS providers undergo a security assessment before onboarding, including review of SOC 2 reports, penetration test summaries, and data handling practices. Assessments are renewed annually.

API Permission Auditing

Regular review of API permissions granted to third-party integrations. Stale and unused API connections are revoked. Permission scopes are limited to the minimum required for functionality.

Compliance Mapping

SaaS application configurations are mapped to compliance frameworks (NIST CSF, SOC 2, ISO 27001) to ensure continuous compliance and facilitate audits.

10 Data Loss Prevention (DLP)

StackExpected implements Data Loss Prevention controls to protect sensitive information from unauthorized disclosure, whether accidental or intentional:

10.1 Endpoint DLP

Content Inspection: Files leaving endpoints are scanned for sensitive data patterns (PII, payment data, credentials, client data). Matches trigger blocking or approval workflows.
USB & Removable Media: USB device usage is controlled and audited. Unauthorized removable media cannot be connected to company devices.
Print Controls: Printing of sensitive documents is logged and restricted. Watermarking is applied to printed documents containing confidential data.
Clipboard Monitoring: Copying of sensitive data to clipboard is monitored and can be restricted for high-sensitivity content.

10.2 Network DLP

Email DLP: All outbound email is scanned for sensitive data patterns. Messages containing restricted data are blocked or require approval before sending.
Web Upload Controls: Uploads to cloud storage and file-sharing services are monitored. Sensitive data uploads to unauthorized services are blocked.
Exfiltration Detection: Unusual data transfer volumes or patterns trigger alerts. Bulk downloads and transfers to unfamiliar destinations are investigated.

10.3 Cloud DLP

Cloud Storage Monitoring: Files stored in cloud services are scanned for sensitive content. Unauthorized sharing of restricted documents is prevented.
SharePoint/Drive Policies: External sharing of documents is restricted. Permission changes on sensitive files trigger alerts.
Client Data Isolation: Client data stored in cloud environments is encrypted with tenant-specific keys. Cross-tenant access is technically impossible.

11 Threat Protection

StackExpected employs multiple layers of threat protection across our cloud and on-premises environments:

Cloud Workload Protection (CWPP)

Continuous monitoring of cloud workloads (servers, containers, serverless functions) for vulnerabilities, malware, and suspicious activity. Automated patching and remediation for critical vulnerabilities.

Identity Threat Protection

Multi-factor authentication enforcement, anomaly detection for login behavior, credential breach monitoring, and automated account lockout for suspicious activity. Continuous authentication scoring.

Endpoint Detection & Response (EDR)

Real-time monitoring of endpoint activity for malicious behavior, automated threat containment, and forensic investigation capabilities. All company devices run EDR agents.

Secure Web Gateway (SWG)

All web traffic is routed through a secure web gateway that enforces acceptable use policies, blocks malicious websites, and prevents access to known threat distribution points.

Email Security

Advanced email filtering with phishing detection, malware scanning, URL rewriting, and sandboxing of suspicious attachments. Quarterly phishing simulation exercises train team members.

Threat Intelligence

Subscription to threat intelligence feeds for early warning of emerging threats targeting web development tools, hosting platforms, and supply chain vulnerabilities.

12 Compliance & Certifications

StackExpected maintains compliance with applicable regulations and industry standards:

NIST Cybersecurity Framework 2.0: Our entire security program is structured around the NIST CSF 2.0 framework (Govern, Identify, Protect, Detect, Respond, Recover). See our full policy framework in the security documentation.
OWASP Top 10: All web applications are developed and tested against the OWASP Top 10 security risks. Secure coding practices are enforced through code reviews and automated scanning.
PCI DSS: Where payment processing is involved, we adhere to PCI DSS requirements. Payment data is processed through PCI-compliant third-party processors; we never store raw payment credentials.
GDPR (where applicable): For EU/EEA data subjects, we process data under lawful bases, honor data subject rights, maintain records of processing activities, and execute Data Processing Agreements (DPAs).
State Privacy Laws: We comply with applicable state-level privacy laws including CCPA/CPRA, Virginia CDPA, Colorado CPA, and other emerging state privacy legislation.
WCAG Accessibility: All websites we build comply with WCAG 2.1 AA standards, ensuring accessibility for users with disabilities.
SOC 2 (where required): For clients requiring SOC 2 compliance, we provide our SOC 2 Type II report and execute mutual DPAs.

13 Cookies & Tracking

Our website uses the following cookies and tracking technologies:

Essential Cookies: Required for basic site functionality (theme preference, navigation state). Cannot be disabled.
Analytics Cookies: Help us understand how visitors interact with our site by collecting anonymous usage data. We use privacy-respecting analytics that do not set third-party tracking cookies.
Functional Cookies: Remember your preferences such as theme selection and form state. These are stored locally in your browser and are not sent to third parties.
Security Cookies: Used to maintain authentication sessions and prevent cross-site request forgery (CSRF). Essential for protecting your data during form submissions.

You can control cookies through your browser settings. Disabling essential cookies may affect site functionality. We do not use third-party advertising cookies or cross-site tracking.

14 Children's Privacy

StackExpected's services are not directed to children under 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly. For school clients, we comply with COPPA requirements and work with schools to ensure appropriate safeguards for student data.

15 International Data Transfers

Some of our cloud service providers may process data in countries outside your jurisdiction. When we transfer personal data internationally, we ensure appropriate safeguards are in place:

EU/EEA Transfers: Standard Contractual Clauses (SCCs) are executed with all non-EEA data processors. Transfer Impact Assessments (TIAs) are conducted for each destination country.
Adequacy Decisions: Data transfers to countries with EU adequacy decisions proceed without additional safeguards.
Data Residency Preferences: For clients with specific data residency requirements, we can configure services to store data exclusively in specified geographic regions.

16 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

Contain & Assess: Immediately contain the breach and assess the scope, impact, and affected data within 4 hours of detection.
Notify: Affected individuals will be notified without undue delay and no later than 72 hours after confirmation of the breach, in accordance with applicable legal requirements.
Regulatory Reporting: Relevant data protection authorities will be notified within the legally required timeframe (typically 72 hours for GDPR).
Remediation: We will outline the steps taken to address the breach, prevent recurrence, and mitigate any harm to affected individuals.
Support: We will offer appropriate support to affected individuals, which may include credit monitoring services for breaches involving financial data.

17 Security Documentation Downloads

The following documents comprise our complete security and privacy documentation framework. All documents are aligned to the NIST Cybersecurity Framework 2.0. You may download individual documents or the complete set as a ZIP archive.

Download All Documents (ZIP)

Governance & Framework

Identification & Assessment

Protective Controls

Detection & Monitoring

Response & Recovery

Policies & Procedures

Additional Documents

This page also covers CASB-specific privacy topics including SaaS Security Posture Management (SSPM), Data Loss Prevention (DLP) across endpoint/network/cloud layers, Cloud Workload Protection (CWPP), Identity Threat Protection, Secure Web Gateway (SWG) policies, and Data Governance in the Cloud.

18 Contact

Privacy Questions?

If you have questions about this Privacy & Data Protection Policy, want to exercise your data rights, or need to report a privacy concern, please contact us:

Email: support@stackexpected.com

Phone: (555) 123-4567 (Mon-Fri, 9am-5pm)

Response Time: We respond to all privacy inquiries within 30 days.

Email Privacy Team
Last updated: June 2026  |  Version 1.0