Frequently asked questions
Is nelyrose.com SOC 2 certified?
No — and we do not claim certification. Nely Rose's website security program is designed to meet SOC 2 Type I Trust Service Criteria for Security and Privacy. Type I attestation evaluates control design at a point in time; we will publish attested language only after an independent report is issued.
What is in scope for SOC 2 Type I on nelyrose.com?
The in-scope system includes the public website, contact and privacy-rights forms, the SQLite personal-data store, the admin panel, and outbound email notifications for form submissions. Consulting work in external CRM or email tools is out of scope.
What security controls does nelyrose.com use?
nelyrose.com uses HTTPS/HSTS, CSRF and Turnstile on public forms, IP-based rate limiting, bcrypt admin passwords with optional TOTP MFA, append-only audit logging, SQLite outside the web root, encrypted database backups, and automated data retention.
Who are the subprocessors for nelyrose.com?
Primary subprocessors are Hostinger (hosting and SMTP), Cloudflare (Turnstile and edge protection), Google Analytics 4 (consent-gated analytics), and Calendly (optional scheduling embed). Details appear in the Privacy Policy.
How do I report a security vulnerability on nelyrose.com?
Email [email protected] with reproduction steps and impact. Do not publicly disclose vulnerabilities before Nely Rose has had a reasonable opportunity to investigate and remediate.