Yellow Bird Company

Security and Data Handling

Yellow Bird Company
Last updated: June 11, 2026

Yellow Bird Company is a small consulting firm. We are not a SaaS platform and we do not operate shared infrastructure on behalf of clients. This page explains how we handle data in our own operations and what we do on client engagements.

We are not claiming SOC 2 certification or ISO 27001 accreditation. We do not have them. What we can tell you is how we actually work, because procurement officers who have seen puffery from vendors can spot it immediately.

Where our data lives

Website.Hosted on Vercel. Vercel runs on AWS and Google Cloud infrastructure in the United States and via global edge nodes. Vercel's infrastructure is SOC 2 Type II certified. We do not store sensitive client data on our website or in Vercel.

Scheduling.Cal.com handles appointment booking. Data is stored on Cal.com's infrastructure in the United States. Booking information (name, email, notes) is treated as contact data, not sensitive operational data.

Email. Transactional email is sent via Resend. Email delivery logs are retained by Resend for operational purposes. We do not send sensitive client data via unencrypted email.

Engagement work.For active client engagements, work product lives where the engagement requires it: typically the client's own cloud environment or a shared workspace we set up for the engagement. We do not maintain a shared Yellow Bird cloud environment where client data co-mingles.

Encryption

Data in transit to and from this website uses TLS (HTTPS). Vercel enforces TLS on all connections. We do not operate any endpoint that accepts unencrypted HTTP.

For engagement tooling, encryption at rest and in transit depends on the tools agreed in the project scope. We discuss and document this during scoping, not after delivery.

Access controls

Yellow Bird is a principal-led firm. Brett Carter is the person with access to Yellow Bird's operational accounts (email, scheduling, hosting). We do not have a shared credential environment or a team with broad system access.

For client systems, we request access only at the level required to do the work. We do not retain access to client systems after an engagement closes. Credential handoff and access revocation are part of our standard engagement close process.

Subcontractors

When an engagement requires a subcontractor (for ML engineering, security review, design production, or other specialist work), that person is identified in the proposal before work begins. Every subcontractor operates under a Non-Disclosure Agreement that covers the client's data and project details. We do not offshore sensitive client data. Subcontractors are based in [Canada / specify if you use US-based contractors and under what conditions].

Incident response

If a security incident affects client data we hold or process, we will notify the affected client within [72 hours / Brett to confirm] of becoming aware. We will describe what happened, what data was affected, what we have done to contain the issue, and what clients should do.

Yellow Bird does not have a formal incident response team. What we have is a small operating footprint, which means fewer systems where things can go wrong. We treat any suspected incident seriously and respond directly.

What we do not do

  • We do not offshore sensitive client data.
  • We do not sell or share client data with third parties for any commercial purpose.
  • We do not retain client system access after an engagement closes.
  • We do not store client data in consumer-grade cloud tools (personal Dropbox, personal Google Drive, etc.) on engagements involving sensitive information.

For procurement reviewers

If your engagement involves sensitive personal data (health information, workers compensation records, insurance data, financial records), we are prepared to discuss our data handling approach during the proposal stage and include specific security requirements in the project contract. Contact brett@theyellowbirdcompany.com or procurement@theyellowbirdcompany.com.

We will not represent capabilities we do not have. If an engagement requires a level of formal certification (SOC 2, ISO 27001, FedRAMP equivalent) that we do not currently hold, we will say so rather than claim otherwise.

Contact
Brett Carter, Principal
brett@theyellowbirdcompany.com
Yellow Bird Company, Victoria BC