(N°·LEGAL) Security v.1.0 · 05·01·26

Security.

How the studio protects the data clients entrust to us: the safeguards behind every engagement.

Effective Date: May 1, 2026 / Last Updated: May 1, 2026 / Version: 1.0

1. Our practices

The full set of administrative, technical, and physical safeguards we apply to a given engagement is documented in the relevant Engagement Agreement and Data Processing Addendum. What follows is a studio-level summary of the safeguards we apply as a matter of practice; the specific commitments for any engagement are set out in those documents.

  • Encryption in transit and at rest. Web traffic is served over TLS. Where we store client data, it is encrypted at rest at the provider level using industry-standard ciphers.
  • Least-privilege access. Access to client systems, ad accounts, analytics properties, and CRM data is granted on a need-to-know basis. Default permissions are the most restrictive set that still lets the work get done.
  • Access removal. When a role changes or someone leaves the studio, we remove access to client systems that is no longer required.
  • Strong authentication. We use multi-factor authentication on studio accounts and on third-party platforms wherever it is supported, and we avoid shared logins.
  • Endpoint hardening. Studio devices are configured with full-disk encryption, current security updates, screen-lock timeouts, and remote-wipe capability where available.
  • Vendor due diligence. New sub-processors are reviewed against this policy and the relevant DPA. The current list of categories appears in our DPA; a named list is available to clients on written request.
  • Incident response. We follow an incident-response approach covering triage, containment, eradication, recovery, and notification of affected clients, and we develop it further as the studio grows.
  • Backups. Critical systems are backed up regularly so that data can be recovered if something fails.

2. How we handle incidents

We follow an incident-response approach covering triage, containment, eradication, recovery, and notification. If a security event affects data we process on a client's behalf, that client is notified without undue delay, and the notification obligations set out in the relevant Data Processing Addendum govern what we share and when.

3. Shared responsibility

Security is strongest when both sides hold up their end. We ask clients to use strong, unique credentials, enable multi-factor authentication on the accounts and platforms they control, and grant the studio only the access an engagement actually requires. The safeguards above protect the data within our control; the accounts, devices, and networks a client operates remain the client's responsibility.

4. Contact

For questions about the practices described on this page, or any other security-related correspondence:

Click Element Media
Attn: Security
Email: [email protected]

Read the DPA