Security Practices
Last updated: December 17, 2025
TKOResearch LLC · 1500 Chestnut Street Suite 2, Philadelphia, PA 19102
Overview
TKOResearch provides technical analysis, threat intelligence, and technical security services for private sector clients. This page describes how we handle data, protect systems, and maintain operational security for our engagements.
The controls described here reflect current operational procedures for client materials, communications, and public systems.
Data Handling
Client Materials & Engagement Data
- Physical materials are stored in locked, access-controlled laboratory space
- Digital materials are stored on encrypted drives (AES-256) with documented handling records
- Client materials are retained only for the duration specified in engagement agreements, then securely destroyed
- We do not share client materials with third parties except as required by law or with explicit written authorization
Communications
- Sensitive engagement communications available via Signal upon request
- Standard communications via email ([email protected])
- PGP public key available at /pgp
- We do not store client credentials or access keys beyond the engagement period
Infrastructure Security
Website & Public Systems
- This website is hosted on Vercel with automatic TLS
- No customer PII is stored on the public website
- Contact form submissions are transmitted via encrypted API to our email system
- Analytics are privacy-focused with consent management
Internal Systems
- Analysis workstations are air-gapped or network-isolated during sensitive materials review
- Multi-factor authentication required for all internal systems
- Regular software updates applied to analysis tools and operating systems
Crisis Management
In the event of a security incident affecting client data, we will:
- Notify affected clients promptly after a confirmed breach
- Provide a written incident report describing the scope and remediation
- Cooperate with client security teams and legal counsel as needed
To report a security incident involving TKOResearch systems or data, contact:[email protected]
Vulnerability Disclosure
We welcome responsible security research on our public-facing systems. If you discover a vulnerability in tkoresearch.com or related TKOResearch properties:
- Report to: [email protected]
- Include technical details sufficient to reproduce the issue
- We will acknowledge receipt within 5 business days
- We will not pursue legal action against good-faith security researchers
For full details, see our Vulnerability Disclosure Policy.
Limitations
Some compliance programs require third-party certifications or dedicated managed-security operations. Those requirements should be raised during scoping.
- SOC 2 and ISO 27001 certifications are not currently maintained
- Continuous managed monitoring of client environments is not included unless specifically contracted
- Physical storage uses professional-office controls unless a higher-control handling process is agreed in writing
Current security practices are appropriate for the sensitivity of the work we perform. Clients with specific compliance requirements (HIPAA, CJIS, etc.) should discuss their needs during the scoping process.
Contact
For security-related inquiries: