Security
How we secure this site, how we handle information shared during engagements, and what security practices we apply to the systems we build.
Our Approach to Security
Security is a design concern, not a deployment checklist. We consider it at the architecture stage — in what data flows where, who can access what, and how the system behaves when something goes wrong.
This page covers three things: how tampadynamics.com itself is secured, how we handle sensitive information shared during client engagements, and the security patterns we apply when building systems for clients.
Website and Infrastructure Security
- HTTPS enforced on all connections — hosted on AWS Amplify with TLS required; unencrypted HTTP is not served
- HTTP security headers configured at the edge — Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are set on every response
- Rate limiting on all API endpoints — form submissions and AI assistant interactions are rate-limited to prevent abuse and denial-of-service
- Input validation on all form submissions — server-side validation on every user-submitted field; no raw input is trusted
- Minimal data collection — contact form submissions are the only personal data stored; we do not maintain session databases, user accounts, or behavioral tracking infrastructure on this site
Client Engagement Data Handling
We do not retain client data beyond what is necessary for the engagement. Sensitive materials reviewed during an engagement — architecture diagrams, PHI samples, access credentials, proprietary system documentation — are handled under NDA and destroyed at engagement close unless retention is required for deliverables or by applicable law.
Business Associate Agreements (BAAs) are available for healthcare engagements subject to HIPAA. If your engagement involves PHI or regulated health data, raise this at the outset — we will establish the appropriate legal agreements before any data is shared.
Credentials and secrets are never transmitted over email or stored in shared documents. We use encrypted channels and proper secrets management for all sensitive access.
Security Practices in Systems We Build
- Encryption at rest and in transit — all sensitive data encrypted using current standards; transport security enforced at every layer
- Role-based access control (RBAC) and least privilege — access permissions scoped to the minimum required for each role; no broad access grants
- Audit logging for regulated workflows — structured logs capturing who accessed what, when, and through which system — designed to support compliance review
- Secrets management via AWS Secrets Manager or equivalent — no secrets in source code, configuration files, or version control
- Automated vulnerability scanning in CI/CD pipelines — dependency scanning and static analysis integrated into the build process, not run manually after the fact
- Infrastructure as code with policy enforcement — cloud infrastructure defined in code, reviewed like code, and subject to automated security policy checks before deployment
Responsible Disclosure
If you discover a security vulnerability on this site or in a system Tampa Dynamics maintains, please report it responsibly.
Email security@tampadynamics.com with a description of the issue, the steps to reproduce it, and any relevant technical context. We will acknowledge receipt within two business days. Confirmed vulnerabilities will be remediated promptly, and we will communicate resolution timelines to reporters.
We do not pursue legal action against researchers acting in good faith. We ask that you do not access, modify, or disclose data beyond what is necessary to demonstrate the issue.
Questions
For security questions related to an active client engagement, contact your engagement lead directly.
For general security inquiries about this site or our practices, reach us at security@tampadynamics.com.