Skip to content
North Valley AI Security AI Training + Security
Open navigation menu

Security + Privacy

Practical policies for protecting client work

This page summarizes the security and privacy practices North Valley AI Security follows during client work. It is written to answer the kinds of questions clients may ask during vendor review, including topics commonly seen in SOC 2-style due diligence, NIST AI governance, cybersecurity review, privacy review, and compliance-readiness conversations.

This is not a SOC 2 report, certification, legal opinion, or guarantee of security. NIST frameworks are voluntary guidance, and SOC 2 reports are independent CPA attestation reports based on the AICPA Trust Services Criteria. Legal, regulatory, and audit requirements should be confirmed with qualified counsel or an independent auditor.

Last reviewed: May 22, 2026

Security

Controls are intended to protect client information and systems from unauthorized access, misuse, or avoidable exposure.

Availability

Availability expectations, support windows, response times, and continuity needs are defined in writing for each engagement.

Confidentiality

Client information is treated as confidential and is shared only when needed for the approved work or as required by law.

Privacy

Personal information is minimized, handled for stated purposes, and not used for unrelated marketing or tracking.

Processing Integrity

For builds and automations, expected behavior, review points, and handoff requirements are documented before production use.

Standards alignment

How the practice maps to modern AI and security frameworks

The goal is not to make small businesses feel buried in compliance language. The goal is to translate recognized frameworks into practical steps, useful evidence, and safer day-to-day decisions.

NIST AI RMF

AI work is organized around practical governance, workflow context, risk measurement, and risk treatment so AI use is intentional instead of ad hoc.

  • Govern: assign ownership, policy, and acceptable-use expectations
  • Map: understand the business workflow, data, people, vendors, and likely impacts
  • Measure: review risks such as data exposure, accuracy, misuse, and access
  • Manage: prioritize safeguards, documentation, monitoring, and follow-up

NIST Generative AI Profile

Generative AI reviews consider risks that matter for AI assistants, office AI features, meeting assistants, document helpers, and workflow automation.

  • Sensitive data in prompts, files, meetings, and connected tools
  • Prompt injection, unsafe outputs, overreliance, and hallucination risk
  • Vendor settings for retention, training use, sharing, and admin control
  • Human review, provenance, disclosure, and escalation expectations

NIST Cybersecurity Framework 2.0

Cybersecurity recommendations are shaped around the CSF lifecycle so owners can see what to govern, identify, protect, detect, respond to, and recover from.

  • Govern and identify business-critical accounts, devices, vendors, and data
  • Protect email, domains, admin accounts, passwords, MFA, backups, and devices
  • Detect common account, website, and vendor warning signs
  • Respond and recover with clear contacts, priorities, and handoff notes

NIST Privacy Framework

Privacy guidance focuses on knowing what data exists, why it is used, who can access it, and how unnecessary collection or sharing can be reduced.

  • Identify personal and sensitive data in business workflows
  • Govern privacy expectations through policy and staff guidance
  • Control collection, access, retention, vendor sharing, and AI use
  • Communicate privacy limits and protect data with practical safeguards

Operating practices

Policies that guide client engagements

Each engagement can have more specific terms, but these are the default expectations for careful, authorized, privacy-conscious work.

Governance and accountability

North Valley AI Security is a sole-proprietor practice. Kevin Kahn is responsible for client scope, security decisions, vendor selection, and policy upkeep unless a written agreement says otherwise.

Written scope and authorization

Work begins only after the client confirms scope, authority, and expected deliverables. Unauthorized access, credential attacks, intrusive testing, and third-party testing are not performed without explicit written authorization.

Data minimization

Client data requests are limited to what is needed for the approved work. Passwords, secrets, regulated data, and highly sensitive materials should not be sent through first-contact channels.

Access control

Client access is requested only when needed, reviewed for scope fit, protected with strong authentication where available, and removed or returned when the engagement no longer requires it.

Secrets and credentials

Passwords, API keys, tokens, recovery codes, and private keys should be shared only through an agreed secure method. Credentials are not stored in website forms or unmanaged notes.

Device and workspace security

Business devices used for client work are expected to use operating-system updates, device lock, encryption where available, password manager use, and MFA on critical accounts.

Secure development and changes

Custom tools and automations are scoped, documented, reviewed before handoff, and changed intentionally. Production changes, secrets, and client data handling are agreed before use.

Vendor and AI tool review

Vendors and AI tools are reviewed for business fit, data handling, access, retention, admin controls, training-use settings, export options, and practical risk before sensitive information is shared.

AI inventory and approved use

AI tools, connected apps, use cases, data types, owners, and approval status should be documented when they matter to the engagement. Shadow AI risks are handled through plain-language rules and realistic alternatives.

Human review and verification

AI outputs that affect clients, finances, security, legal duties, health, employment, or business-critical decisions should be reviewed by a responsible person before use.

Policy and regulatory readiness

Recommendations are designed to help clients prepare for reasonable vendor review, contract, privacy, security, and AI governance questions. Legal compliance decisions remain the client's responsibility with qualified counsel where needed.

Incident handling

Suspected security incidents are documented, triaged, and communicated based on severity, client impact, and agreed contact paths. Emergency response is not guaranteed unless separately agreed.

Continuity and support expectations

Support hours, response expectations, backup responsibilities, continuity needs, and recurring advisory cadence are defined in the engagement scope or retainer terms.

Logging and monitoring

The public website avoids analytics and tracking. Client project logging, monitoring, and evidence collection are discussed only when relevant to the approved work.

Subcontractors and third parties

Subcontractors are not used for client work unless discussed with the client. Third-party services are chosen with privacy, access, and data handling in mind.

Compliance readiness

Regulations are handled by scope, industry, and data type

North Valley AI Security can help organize the technical and policy pieces clients often need for compliance conversations, but it does not provide legal advice or guarantee regulatory compliance.

California privacy readiness

For California businesses, privacy notices, data categories, sensitive personal information, vendor sharing, and consumer request workflows may need review under CCPA/CPRA depending on whether the law applies.

FTC and customer information safeguards

Financial, lending, real estate, auto, and other covered organizations may need a written information security program, service-provider oversight, and customer information safeguards under FTC/GLBA requirements.

HIPAA-sensitive workflows

Health and wellness organizations that are covered entities or business associates should treat electronic protected health information as a separately scoped workflow with administrative, physical, and technical safeguards.

Payment and cardholder data

Businesses that process card payments should avoid storing cardholder data in local tools, forms, AI prompts, or documents unless a properly scoped PCI DSS approach is in place.

AI management systems and client questionnaires

For larger clients, vendor questionnaires may ask about AI governance, risk assessment, responsible AI management, evidence, and documentation similar to SOC 2, NIST, or ISO/IEC 42001 expectations.

Evidence readiness

Records that can support client due diligence

For clients that need a security questionnaire, vendor review, or SOC 2-style evidence packet, available evidence depends on the work performed and the written agreement.

  • Signed scope or written authorization
  • AI tool inventory, approved-use list, or workflow map
  • Data classification and sensitive-data handling notes
  • Access list and removal notes
  • Risk summary or 30/60/90-day roadmap
  • Vendor or AI tool review notes
  • AI policy, staff training, or human-review guidance
  • Change notes for approved setup or build work
  • Incident notes when an issue is reported
  • Monthly advisory notes and roadmap tracking

Reference frameworks

Public sources used for alignment

These links are provided for transparency and client due diligence. They do not make this page an audit report, certification, or legal compliance opinion.

NIST AI Risk Management Framework NIST AI 600-1 Generative AI Profile NIST Cybersecurity Framework 2.0 NIST Privacy Framework AICPA & CIMA SOC resources California CCPA / CPRA overview FTC Safeguards Rule HHS HIPAA Security Rule ISO/IEC 42001 AI management system

Not sure where to start?

Need this mapped to a questionnaire?

Security questionnaires, vendor review requests, and policy packets can be handled as part of monthly advisory or a scoped documentation project.

Request a Consultation View Monthly Support