Data & Privacy

Security & Data Protection.

Platforms & Infrastructure

NED builds its security posture on enterprise-grade platforms with independently verified security certifications. We do not build or maintain our own server infrastructure for client data. All client-facing data flows through three platforms: Anthropic Claude Max (AI-assisted analysis), Box.com (document storage and sharing), and GoDaddy Microsoft 365 (email). Each is described below with links to their security documentation.

Anthropic Claude Max — AI Analysis

NED uses Anthropic’s Claude at the Max subscription tier with model training disabled. Your conversation data and submitted documents are not used to train any AI model and are not shared with any other entity.

How We Use Claude

Claude is used to assist with document review, analysis, drafting, and research. All AI-generated output is reviewed and verified by a qualified NED principal before delivery. Claude accelerates the work; Jon’s expertise and judgment makes it reliable.

Projects — Isolated Per Engagement

NED uses Claude’s Projects feature to maintain a dedicated, isolated workspace for each client engagement. Your documents and conversations are contained within your project — not accessible to or viewable by any other client.

Encryption & Data Handling

All data submitted to Claude is encrypted in transit and at rest on Anthropic’s infrastructure. Anthropic maintains SOC 2 Type II certification. Current Anthropic data and privacy practices are available at privacy.claude.com ↗.

Box.com — Document Storage & Sharing

NED uses Box for secure document storage, sharing, and collaboration. Box is an enterprise-grade content management platform used by more than 100,000 organizations, including regulated financial institutions, healthcare organizations, and government agencies.

Encryption

All files stored on Box are encrypted at rest using AES 256-bit encryption and in transit using TLS 1.3 (falling back to TLS 1.2). Box employs a key-wrapping strategy that applies an additional layer of 256-bit AES encryption to the keys themselves. Box is FIPS 140-2 certified, confirming its cryptographic modules meet federal standards.

Access Controls

Box uses a zero-trust architecture with single sign-on (SSO), multi-factor authentication (MFA), and role-based access controls.

Compliance Certifications

Box holds certifications including SOC 1, SOC 2, ISO 27001, HIPAA, FedRAMP, PCI DSS, and FINRA SEC 17a-4. Data is hosted on Google Cloud Platform infrastructure with redundant primary and backup storage — files are replicated automatically at the time of upload.

Box Security & Trust Center ↗  ·  Box Compliance Overview ↗

GoDaddy / Microsoft 365 — Email

NED’s email is hosted on Microsoft 365 through GoDaddy, a high-security business email platform backed by Microsoft’s enterprise infrastructure. All email accounts are protected by multi-factor authentication.

Encryption

Microsoft 365 automatically encrypts all messages sent within NED’s organization. For sensitive communications to external recipients, upon client request, NED can use GoDaddy’s Advanced Email Security (powered by Proofpoint), which encrypts outbound messages end-to-end in transit. Encrypted messages are accessible only to verified recipients via a secure link.

Threat Protection

Advanced Email Security includes anti-phishing protection, malicious attachment scanning, spoofing quarantine (blocking messages that appear to originate from NED’s domain but do not), and spam filtering. NED has enabled Microsoft Security Defaults, which enforce MFA across all accounts and block legacy authentication protocols that are a common vector for credential attacks.

Compliance

Microsoft 365 maintains compliance certifications including SOC 1, SOC 2, ISO 27001, HIPAA, and GDPR. GoDaddy’s Advanced Email Security is included on all NED Microsoft 365 plans.

GoDaddy Email Security Overview ↗  ·  Microsoft Trust Center ↗

NIST Data Classification — What We Accept

NED aligns its data handling with the four-level commercial data classification framework consistent with NIST data classification guidance ↗ (NIST SP 800-53, NIST IR 8496). For all of NED’s engagements — across M&A and project finance, independent engineering, tax credit transfers, owner engineering, equipment assessment, software development, and marketing support — the relevant materials fall squarely within Level 2 (Internal / Sensitive) and are well within NED’s security posture. The levels below describe what NED accepts and does not accept.

Level 1 — Public

Information freely available or intended for public disclosure. No special handling required. Examples: press releases, published research, public project announcements, marketing materials, regulatory filings available on EDGAR or FERC.

✓  NED accepts Public data.

Level 2 — Internal / Sensitive

Non-public business information whose disclosure would cause limited harm but which is not subject to legal or contractual restriction. Requires reasonable access controls and standard confidentiality practices. Examples: draft due diligence reports, non-final term sheets, pre-NDA project summaries, general financial projections, IE reports shared under NDA, transaction timelines, non-sensitive correspondence.

✓  NED accepts Internal / Sensitive data — the most common category in our engagements.

Level 3 — Confidential

Information that is legally, regulatorily, or contractually restricted from unauthorized disclosure. Breach could cause significant financial, legal, or reputational harm. Requires strong access controls, encryption, and formal data handling agreements. Examples: personally identifiable information (PII), personally identifiable financial information (PIFI), Social Security numbers, tax identification numbers, bank account details, HIPAA-protected health information, payment card data (PCI DSS), attorney-client privileged communications, information subject to SEC Regulation FD, classified government information.

×  NED does not accept Confidential data as defined above. If you believe your engagement requires handling of Confidential data, please contact us to discuss a customized arrangement.

Level 4 — Restricted

The most sensitive category — information whose unauthorized disclosure could cause severe or catastrophic harm, trigger criminal liability, or compromise national security. Access limited to a small number of specifically authorized individuals. Examples: classified national security information, Top Secret government data, trade secrets protected under the Defend Trade Secrets Act, cryptographic keys and authentication credentials, information whose disclosure is prohibited by court order or consent decree.

×  NED does not accept Restricted data under any circumstances.

Regulated Organizations & Special Handling

For financial institutions subject to US banking regulations — including OCC, FDIC, Federal Reserve, or FINRA requirements — or organizations subject to GDPR or other EU privacy requirements, NED can apply more advanced data security upon request.

Where special handling is required for your engagement, it will be documented explicitly in your scope of work or engagement letter. Contact us to discuss your requirements before sharing any materials.

NIST SP 800-53 Controls We Apply

NED applies the following security controls consistent with NIST Special Publication 800-53 Rev. 5 ↗. The controls listed below apply directly to the platforms NED uses — Anthropic Claude, Box, and Microsoft 365 — and to NED’s operational practices for session management, authentication, and access. NED never stores client data on laptops or local devices. All client materials reside exclusively on Claude (Anthropic’s infrastructure), Box, or Microsoft 365.

Multi-Factor Authentication — NIST SP 800-53 IA-2

MFA is enabled and enforced on all NED accounts: Claude (Anthropic), Box, and Microsoft 365 / GoDaddy email. NED uses authenticator app-based MFA (time-based one-time passwords) rather than SMS, consistent with NIST SP 800-63B guidance. Microsoft Security Defaults enforce MFA across all Microsoft 365 accounts and block legacy authentication protocols. Box enforces MFA as part of its zero-trust architecture.

Session Lock — NIST SP 800-53 AC-11

All NED devices are configured to lock automatically after a period of inactivity, requiring re-authentication before resuming. Since client data is never stored locally, a locked device exposes no client materials — access to Claude, Box, and Microsoft 365 all require separate re-authentication with MFA.

Password Management — NIST SP 800-53 IA-5

Passwords are never reused across services. Password complexity and length requirements meet or exceed NIST SP 800-63B guidelines.

Encryption in Transit and at Rest — NIST SP 800-53 SC-8, SC-28

All client data is encrypted in transit (TLS 1.3 / TLS 1.2) and at rest (AES-256) across all three platforms. Encryption is provided natively by Anthropic (Claude), Box, and Microsoft (email). NED does not transmit client materials via unencrypted channels.

Login Attempt Controls — NIST SP 800-53 AC-7

All NED platform accounts (Claude, Box, Microsoft 365) are configured to lock or alert after a threshold number of unsuccessful login attempts, limiting the risk of brute-force credential attacks.

Data Backup — NIST SP 800-53 CP-9

Client documents stored on Box are automatically replicated to a backup facility at the time of upload. Box maintains active-active data center redundancy, enabling rollback to the last known uncorrupted version of any file in the event of ransomware or accidental deletion. This backup capability is provided entirely by Box — no local backup copies are held by NED.

Data Retention

Unless directed otherwise by the client, NED retains client materials — including deliverables, work product, engagement records, and client-provided source materials — in a secure, access-controlled archive for a minimum of seven years from the conclusion of the engagement. This practice serves two purposes: it allows NED to retrieve materials quickly on your behalf if needed for future reference, litigation support, regulatory inquiry, or follow-on work; and it conforms to standard professional services data retention practices consistent with applicable statutes of limitations and recordkeeping norms.

Archived materials are stored in a dedicated area of NED’s Box environment. They are subject to the same encryption, access controls, and security practices described on this page.

Download Security Summary

A printable summary of NED’s security practices is available for distribution to your compliance, legal, or IT team.

Download Security Summary ↓