SECURITY & COMPLIANCE

Composite is committed to maintaining security practices appropriate for enterprise and regulated clients. This page provides an overview of our security posture.

1. Operational Role & Risk Profile

Composite is a design and Webflow Enterprise development agency.

  • We do not operate production consumer databases.
  • We do not store client website data on our own servers.
  • We do not access client production databases.
  • Our work primarily involves front-end development and CMS configuration within client-approved environments.

This significantly limits data exposure risk.

2. Infrastructure & Hosting

Client websites are typically hosted on Webflow Enterprise or other client-selected infrastructure providers.

Composite does not host or maintain production website infrastructure directly.

Infrastructure-level security (e.g., network security, DDoS protection, uptime guarantees) is managed by the hosting provider.

3. Access Controls

Composite maintains strict access controls, including:

  • Role-based access permissions
  • Least-privilege access policies
  • Access limited to assigned project team members
  • Immediate revocation of access upon employee termination
  • Multi-factor authentication (MFA) required for all employees

4. Endpoint & Internal Security

Composite enforces:

  • Password-protected company devices
  • Encrypted connections (TLS/HTTPS)
  • Secure cloud-based collaboration tools
  • MFA across core systems

5. Vendor & Subprocessor Management

Composite works with established technology providers (e.g., hosting platforms, CRM tools, analytics services).

We:

  • Conduct reasonable vendor due diligence
  • Use vendors subject to contractual security obligations
  • Limit vendor access to only necessary data

6. AI Governance

Composite may use AI-powered tools to support design, development, analytics, and operational workflows.

We:

  • Do not use client confidential information to train public AI models
  • Do not use client data for AI model training without explicit agreement
  • Require human review of AI-assisted outputs before deployment

7. Data Minimization

Composite accesses only the data necessary to perform contracted services.

We do not maintain long-term storage of consumer financial data, regulated financial records, or client production databases.

8. Incident Response

Composite maintains an internal incident response process designed to:

  • Escalate suspected security incidents promptly
  • Investigate and remediate confirmed issues
  • Notify affected clients in accordance with contractual and legal obligations

9. Compliance Alignment

Composite aligns its privacy and security practices with:

  • U.S. state privacy laws (including CPRA)
  • Industry-standard security practices
  • Contractual security requirements agreed with clients

Composite does not currently maintain SOC 2 certification.