Introduction
Tesária handles client information with the same care we apply to design. This policy explains how we protect the data entrusted to us during project engagements, the controls we maintain, and how we respond if something goes wrong. It supplements our Privacy Policy and applies to all client files, project assets, communications, and credentials shared with our studio.
Scope
This policy covers personal information, business information, project files, source materials, and access credentials handled by Tesária and our vetted collaborators in connection with client engagements. It applies across the full project lifecycle, from initial discovery through final handover and archival.
Data Classification
We classify information in four tiers:
- Public. Material approved for open distribution, such as published case studies.
- Internal. Operational information used within the studio.
- Confidential. Client project files, strategy documents, and pre-release brand assets.
- Restricted. Credentials, signed contracts, financial records, and personal information.
Each tier carries its own handling rules, with stricter controls applied as sensitivity increases.
Access Controls
Access to client information is limited to the founder and named collaborators assigned to a specific engagement. We follow the principle of least privilege, granting only the access required to complete the task. Collaborators sign confidentiality agreements before receiving any client material. Access is revoked promptly when an engagement ends or a collaborator's role changes.
Authentication and Account Security
All Tesária accounts are protected by strong, unique passwords managed through an encrypted password manager. Two-factor authentication is enabled on every account that supports it, including email, hosting, cloud storage, and design platforms. Shared client logins are avoided wherever possible and rotated immediately after use when unavoidable.
Device and Endpoint Security
Workstations used to access client information run current operating systems with automatic security updates enabled. Full-disk encryption is active on all devices (FileVault on macOS, BitLocker on Windows). Screens lock automatically after a short period of inactivity, and devices are never left unattended in public spaces with client files open.
Data in Transit and at Rest
All website traffic uses HTTPS with modern TLS configurations. Client files are transferred through encrypted cloud storage or secure project platforms, never through personal email or unencrypted messaging. Data at rest in our cloud workspaces is encrypted by the providers we use, and we select vendors based on documented security practices.
Vendor and Subprocessor Management
We keep our supplier list deliberately short. Each subprocessor is reviewed for security posture before onboarding and listed in our Privacy Policy when they handle personal information. We require contractual confidentiality and data-protection commitments from every collaborator and supplier.
Backups and Recovery
Active project files are backed up to encrypted cloud storage with version history. Backups are tested periodically to confirm files can be restored. In the event of a workstation failure or data loss, recovery procedures are designed to restore active project work within one business day.
Incident Response
If a security incident or suspected data breach occurs, Tesária follows a defined response process: contain the incident, assess the scope, notify affected clients without undue delay, and notify the relevant supervisory authority where legally required. For incidents involving personal information under the GDPR, we aim to notify within 72 hours of becoming aware of the breach. For PIPEDA, we follow the real risk of significant harm test and notify accordingly.
Retention and Secure Deletion
Client files are retained for the duration of the engagement and for the periods set out in our Privacy Policy. When information is no longer needed, electronic files are deleted from active systems and removed from backup rotations on the next scheduled cycle. Physical materials, if any, are shredded.
Business Continuity
Tesária maintains documented client records, access credentials, and project files in encrypted cloud storage so that active engagements can be continued or transitioned in the event of unexpected unavailability. Clients are informed promptly of any disruption likely to affect agreed delivery dates.
Training and Awareness
The founder and all named collaborators are briefed on this policy before working on any client engagement. Updates to the policy are communicated as they take effect, and security practices are reviewed at least annually.
Compliance Alignment
This policy is designed to align with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, the General Data Protection Regulation (GDPR) in the European Union, and recognised information security principles drawn from ISO/IEC 27001 and the NIST Cybersecurity Framework. Tesária is not formally certified to ISO 27001 or SOC 2 at this time.
Changes to This Policy
We review this policy at least once every twelve months and after any significant change to our practices or systems. The "Last updated" date at the top of this page indicates when the most recent revision took effect.
Contact
Questions about this policy, or to report a suspected security concern, please contact:
Tesária
Downtown, Vancouver, British Columbia, Canada
coo@tesaria.tech