Legal
At Hilvy, we take the security of our clients' data and digital assets seriously. While we're a web agency at heart, we apply the same care and discipline as larger organisations when it comes to protecting information.
We build and host on trusted platforms — primarily Webflow and Vercel — which maintain industry-leading security certifications including SOC 2 and GDPR compliance. Where applicable, we also use AWS and other cloud services with equivalent standards.
Data is encrypted in transit using TLS/SSL. Where data is stored, we ensure it is held on platforms that apply encryption at rest as standard.
Only authorised team members and trusted subcontractors have access to client data. Access is granted on a least-privilege basis and reviewed regularly. We do not share client credentials or sensitive assets beyond what is strictly necessary to deliver the work.
We rely on cloud-native backups and version control (Git) to minimise disruption and ensure continuity. All code and project assets are stored in version-controlled repositories.
We apply security updates promptly to software, frameworks, and dependencies, and we monitor for known vulnerabilities in the tools we use.
We follow a privacy-by-design approach in all our projects. We only process personal data where necessary and in line with GDPR and UK GDPR requirements.
When acting as a data processor on behalf of clients, we comply with their Data Processing Agreements and handle data only as instructed. We do not retain client data beyond the scope and duration of the engagement.
We use AI tools selectively to support certain parts of our internal process — such as research, drafting, and code review. This helps us work more efficiently without compromising the quality or integrity of the work we deliver.
We are careful about what information is shared with any AI tool. We do not input client data, confidential materials, or personal information into third-party AI systems. Where AI tools are used alongside client work, we ensure they meet appropriate data handling standards.
We may also recommend AI tools to clients where they would add genuine value to their product or workflow. Any such recommendation comes with honest guidance on capabilities, limitations, and data considerations.
Where we rely on third-party platforms and providers, we select partners who demonstrate strong security and compliance standards. We regularly review the tools we depend on and apply due diligence before introducing new services into our workflow or recommending them to clients.
If you believe you have found a security issue relating to our website or services, please contact us at info@hilvy.io. We take all reports seriously and will investigate promptly. We ask that you give us reasonable time to assess and address any issue before disclosing it publicly.
Security is an ongoing process, not a one-time checklist. We regularly review and improve our practices to ensure they meet the expectations of our clients — including those in regulated or enterprise environments. This policy is updated as our practices evolve.