Trust & Security.

How Midnight Anvil approaches website security, vendor access, incident response, and security claims.

Last updated
January 21, 2026
Effective
January 21, 2026
Entity
Midnight Anvil LLC
Jurisdiction
Wyoming, USA

01Scope

Plain English

This page describes how we approach security. It is not a certification, warranty, or audit report.

This Trust & Security page covers the public website and our ordinary studio operations. Client-specific security terms, hosting architecture, access rules, and incident obligations are handled in the signed services agreement for each engagement.

02Security practices

  • HTTPS/TLS for public website traffic.
  • Two-factor authentication on vendor accounts where supported.
  • Scoped access to hosting, repositories, CMS, analytics, and client systems.
  • Dependency updates and security patches as part of maintenance work.
  • Secrets kept out of public repositories and rotated when exposure is suspected.
  • Backups or rollback paths for managed client systems where included in the engagement.
  • Written handoff of credentials and ownership at launch unless a support agreement says otherwise.

03Data handling

We limit inbound public-site data to what is needed to respond to business inquiries. For client systems, we prefer least privilege, named accounts over shared accounts, and separate staging/production access when the platform supports it.

We do not request production passwords, payment card numbers, government IDs, or sensitive regulated data through public website forms.

04Vendors and subprocessors

Hosting/CDN
Vercel, Cloudflare, or comparable providers depending on deployment.
Email
Mailbox and delivery providers used to receive and respond to inquiries.
Fonts/assets
Google Fonts and locally hosted image assets.
Client tools
CMS, hosting, source control, analytics, search, and SEO tools chosen for the project.

For client work, a more specific subprocessor list or DPA can be added to the services agreement when needed.

05Incident response

If we confirm a security incident affecting personal information or managed client systems, we investigate, contain, preserve relevant logs where available, notify affected clients or individuals as required, and take reasonable remediation steps.

For client systems, notification timing and responsibilities follow the signed services agreement and applicable law.

06Certifications and limits

Midnight Anvil LLC does not currently claim SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, or similar certification. We do not process payment card data on this public website. If a project requires regulated hosting, payment processing, or a formal audit trail, we scope that explicitly before work begins.

07Report a concern

To report a security concern, email forge@midnightanvil.com with enough detail to reproduce the issue. Please do not access, alter, delete, or disclose data that is not yours. We do not offer a public bug bounty program.

Issued byMidnight Anvil LLC
Sheridan, Wyoming
Reach usforge@midnightanvil.com
+1 (912) 915-2627