Echo Hill Security Policies

We collect only the minimum information required to provide our services, generate assessment reports, and maintain communication with clients. We do not sell, rent, or share client information with any third parties outside of essential processing.

• Assessment data is used only to create your report.
• No passwords or sensitive business credentials are collected.
• Data is stored securely and retained only as needed.
• Client information is never shared without consent.

Our goal is to limit storage wherever possible. We keep assessment data only long enough to generate and deliver your report — after that, client responses are securely removed unless a client requests ongoing improvement tracking.

• Assessment responses deleted after report delivery (default).
• Optional retention available with written client request.
• Secure destruction processes follow NIST 800-88 guidance.

Our services are designed to provide high-quality information, recommendations, and baseline cybersecurity insight. Clients maintain final responsibility for implementation and operational security decisions.

• Recommendations are advisory and based on industry best practices.
• Echo Hill Security is not liable for client-side implementation.
• Reports are confidential and intended for internal client use.

Echo Hill Security is committed to embodying the same practices we recommend to clients. Our operations follow least-privilege principles, MFA enforcement, and vendor risk evaluation.

• Multi-factor authentication enabled across all systems.
• Encryption in transit and at rest for stored data.
• Regular review of third-party tools and cloud platforms.