Security & Compliance
We Practice What We Preach.
Code Talkers Engineering is a cybersecurity firm. We hold ourselves to the same standards we recommend to clients. This page describes how we protect data, handle sensitive information, and respond to security concerns.
How We Operate
Our Security Posture
Zero Trust Architecture
All internal systems and the client portal operate on a deny-all default. Access is explicitly granted, continuously verified, and never assumed based on network location.
Encrypted Communications
All data in transit is encrypted via TLS 1.2+. The Site enforces HTTPS with HSTS preloading. We do not accept sensitive information over unencrypted channels.
Minimal Data Collection
We collect only what is necessary to conduct business. We do not collect sensitive personal data (SSNs, financial data, health records) through this Site.
Access Control
Client portal access is role-based. Administrative functions require elevated authentication. All portal activity is logged in an append-only audit trail.
Consent-Gated Analytics
Analytics are not activated until you explicitly consent. Declining analytics has no effect on Site functionality.
Security Headers
The Site deploys Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy headers on all responses.
Data Handling
Data collected through this Site (contact form submissions, slick sheet requests, and portal accounts) is stored in Google Firebase (Firestore), a SOC 2 Type II and ISO 27001 certified platform. Firestore Security Rules enforce access control at the database level — no client-side code can bypass these rules.
Sensitive client information shared for active contracts or cleared work is handled separately from this Site under appropriate information handling agreements and is never transmitted through this public web interface.
We do not sell, share, or trade your personal information with third parties for advertising or marketing purposes. See our Privacy Policy for complete details.
Standards Awareness
Compliance Posture
As a defense contractor, CTE operates with awareness of applicable DoD cybersecurity requirements including the Cybersecurity Maturity Model Certification (CMMC) program and NIST SP 800-171. Our internal systems and practices are designed to align with these frameworks.
Personnel with access to sensitive client information may hold active U.S. government security clearances. Cleared work is conducted in accordance with applicable government information security policies and is strictly segregated from this public-facing Site.
Specific compliance documentation, System Security Plans (SSPs), or assessment readiness materials are available to qualified government clients and contracting officers upon request.
Responsible Disclosure Policy
We are a cybersecurity company. We take vulnerabilities seriously and we welcome responsible disclosure from the security community.
If you discover a security vulnerability in codetalkerseng.com or our associated infrastructure, please report it to us before public disclosure. We commit to:
- Acknowledge your report within 5 business days
- Investigate and assess the reported vulnerability
- Communicate our remediation timeline to you
- Not pursue legal action against researchers acting in good faith
We ask that you do not access, modify, or delete data that does not belong to you; do not perform denial-of-service testing; and do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it.