How we run our own shop.
We hold ourselves to the standard we ask of our clients. This page is a plain-English summary; deeper artifacts (SoA, pen-test letters, sub-processor list) are available under MNDA.
Hosting
sudodudes infrastructure runs on hardware we own and physically control. We do not use third-party SaaS for storage of client-sensitive evidence beyond what the engagement requires; what we do store is encrypted at rest with per-tenant keys and segmented per client.
Access
SSO with mandatory hardware-key second factor (no SMS, no TOTP). Least-privilege roles. All access is logged and reviewed weekly. Production access requires a peer-approved change request.
Engineering
Code is reviewed before merge. Dependency and container images are scanned on every push. Secrets live in a managed vault, never in repos. We run continuous monitoring on our own perimeter with the same posture we recommend to clients.
Incident response
24/7 on-call rotation. Documented runbooks. Clients are notified within four hours of a confirmed incident that affects them, with a written post-mortem within ten business days.
Responsible disclosure
Found a vulnerability in our infrastructure? Email [email protected]. Good-faith research is welcomed; we will not pursue legal action against researchers acting in good faith and within the scope below.
- In scope: *.sudodudes.com
- Out of scope: social engineering, physical, denial-of-service, anything against client tenants
- Disclosure window: 90 days from acknowledgement, extended by agreement