Data & Privacy

Security & Data Protection.

Platforms & Infrastructure

NED builds its security posture on independently certified cloud platforms. We do not build or maintain our own server infrastructure for client data. All client-facing data flows through three categories of platform: AI assistance (for document review and analysis), document storage (for secure storage and client sharing), and business email. Document storage and business email are procured under commercial business terms with Data Processing Agreements in place. AI assistance is subscribed at a professional tier with model training disabled at the account level; see AI Analysis below for details. Specific vendor names, product tiers, and configurations are available to prospective clients under NDA through our standard security questionnaire process.

AI Analysis

NED uses a leading AI assistant provided by a company that holds organizational SOC 2 Type II, ISO 27001:2022, and ISO/IEC 42001:2023 certifications. ISO/IEC 42001 is the international standard for AI management systems and provides independent assurance of the provider’s governance of AI model development and operation.

Subscription Tier and Training

NED subscribes at a professional-tier subscription plan. Model training has been disabled in NED’s account settings, which means client documents and conversations are not used to train AI models. Under this configuration, conversation data is retained by the provider for a limited operational period (approximately 30 days) for trust and safety review, after which it is deleted from the provider’s systems. NED verifies the training-disabled setting as part of its periodic security review.

This subscription tier does not provide flow-through contractual commitments such as a Data Processing Agreement, Business Associate Agreement, or zero-data-retention addendum. Clients requiring these contractual assurances for a specific engagement — for example, financial institutions under banking regulator oversight, or organizations subject to GDPR data-processor obligations — should raise this requirement with NED before engagement. NED can provision an alternative arrangement (commercial-tier AI subscription or direct API access under commercial terms) on a per-engagement basis. Contact us to discuss your requirements.

How We Use AI

The AI platform is used to assist with document review, analysis, drafting, and research. All AI-generated output is reviewed and verified by a qualified NED principal before delivery. AI accelerates the work; NED’s expertise and judgment makes it reliable.

Workspace Isolation

NED uses the platform’s project workspace feature to maintain a dedicated, isolated workspace for each client engagement. Your documents and conversations are contained within your workspace — not accessible to or viewable by any other client engagement.

Encryption

All data submitted to the AI platform is encrypted in transit and at rest on the provider’s infrastructure.

Document Storage & Sharing

NED uses an enterprise content management platform for secure document storage, sharing, and collaboration. The platform is used by tens of thousands of organizations including regulated financial institutions, healthcare organizations, and government agencies, and is procured by NED under commercial business terms with a Data Processing Agreement in place.

Encryption

All files are encrypted at rest using AES 256-bit encryption and in transit using modern TLS. The platform applies an additional cryptographic key-wrapping layer to the encryption keys themselves. Cryptographic modules are FIPS 140-2 certified, confirming they meet federal standards.

Access Controls

The platform operates on a zero-trust architecture with single sign-on (SSO), multi-factor authentication (MFA), and role-based access controls. NED configures folder-level permissions per engagement.

Compliance Certifications

The platform holds certifications including SOC 1, SOC 2, ISO 27001, HIPAA, FedRAMP, PCI DSS, and FINRA SEC 17a-4. Files are replicated automatically to a backup facility at time of upload, with active-active data center redundancy and point-in-time recovery.

Business Email

NED’s email is hosted on a major cloud productivity platform on a business subscription tier with a Data Processing Agreement in place. All email accounts are protected by multi-factor authentication.

Encryption

Messages sent within NED’s organization are encrypted automatically. For sensitive communications to external recipients, enterprise-grade email encryption is available upon client request; encrypted messages are accessible only to verified recipients via a secure link.

Threat Protection

Inbound and outbound mail pass through enterprise threat protection including anti-phishing, malicious-attachment scanning, spoofing quarantine (blocking messages that appear to originate from NED’s domain but do not), and spam filtering. Tenant-level security baselines enforce MFA on all accounts and block legacy authentication protocols that are a common vector for credential attacks.

Compliance

The platform maintains compliance certifications including SOC 1, SOC 2, ISO 27001, HIPAA, and GDPR.

NIST Data Classification — What We Accept

NED aligns its data handling with the four-level commercial data classification framework consistent with NIST data classification guidance ↗ (NIST SP 800-53, NIST IR 8496). For all of NED’s engagements — across M&A and project finance, independent engineering, tax credit transfers, owner engineering, equipment assessment, software development, and marketing support — the relevant materials fall squarely within Level 2 (Internal / Sensitive) and are well within NED’s security posture. The levels below describe what NED accepts and does not accept.

Level 1 — Public

Information freely available or intended for public disclosure. No special handling required. Examples: press releases, published research, public project announcements, marketing materials, regulatory filings available on EDGAR or FERC.

✓  NED accepts Public data.

Level 2 — Internal / Sensitive

Non-public business information whose disclosure would cause limited harm but which is not subject to legal or contractual restriction. Requires reasonable access controls and standard confidentiality practices. Examples: draft due diligence reports, non-final term sheets, pre-NDA project summaries, general financial projections, IE reports shared under NDA, transaction timelines, non-sensitive correspondence.

✓  NED accepts Internal / Sensitive data — the most common category in our engagements.

Level 3 — Confidential

Information that is legally, regulatorily, or contractually restricted from unauthorized disclosure. Breach could cause significant financial, legal, or reputational harm. Requires strong access controls, encryption, and formal data handling agreements. Examples: personally identifiable information (PII), personally identifiable financial information (PIFI), Social Security numbers, tax identification numbers, bank account details, HIPAA-protected health information, payment card data (PCI DSS), attorney-client privileged communications, information subject to SEC Regulation FD, classified government information.

×  NED does not accept Confidential data as defined above. If you believe your engagement requires handling of Confidential data, please contact us to discuss a customized arrangement.

Level 4 — Restricted

The most sensitive category — information whose unauthorized disclosure could cause severe or catastrophic harm, trigger criminal liability, or compromise national security. Access limited to a small number of specifically authorized individuals. Examples: classified national security information, Top Secret government data, trade secrets protected under the Defend Trade Secrets Act, cryptographic keys and authentication credentials, information whose disclosure is prohibited by court order or consent decree.

×  NED does not accept Restricted data under any circumstances.

Regulated Organizations & Special Handling

For financial institutions subject to US banking regulations — including OCC, FDIC, Federal Reserve, or FINRA requirements — or organizations subject to GDPR or other EU privacy requirements, NED can apply more advanced data security upon request.

Where special handling is required for your engagement, it will be documented explicitly in your scope of work or engagement letter. Contact us to discuss your requirements before sharing any materials.

NIST SP 800-53 Controls We Apply

NED applies the following security controls consistent with NIST Special Publication 800-53 Rev. 5 ↗. The controls listed below apply across NED’s three platform categories — AI assistance, document storage, and business email — and to NED’s operational practices for session management, authentication, and access. NED never stores client data on laptops or local devices. All client materials reside exclusively on the encrypted cloud platforms described above.

Multi-Factor Authentication — NIST SP 800-53 IA-2

MFA is enabled and enforced on all NED platform accounts, using phishing-resistant methods consistent with NIST SP 800-63B guidance. Tenant-level security baselines enforce MFA and block legacy authentication protocols across the business platforms.

Session Lock — NIST SP 800-53 AC-11

All NED devices are configured to lock automatically after a period of inactivity, requiring re-authentication before resuming. Since client data is never stored locally, a locked device exposes no client materials — access to each platform requires separate re-authentication with MFA.

Password Management — NIST SP 800-53 IA-5

Passwords are never reused across services. Password complexity and length requirements meet or exceed NIST SP 800-63B guidelines.

Encryption in Transit and at Rest — NIST SP 800-53 SC-8, SC-28

All client data is encrypted in transit using modern TLS and at rest using AES-256 across all three platforms. Encryption is provided natively by each platform. NED does not transmit client materials via unencrypted channels.

Login Attempt Controls — NIST SP 800-53 AC-7

All NED platform accounts are configured to lock or alert after a threshold of unsuccessful login attempts, limiting the risk of brute-force credential attacks.

Data Backup — NIST SP 800-53 CP-9

Client documents on the document storage platform are replicated automatically to a backup facility at the time of upload. The platform maintains active-active data center redundancy, enabling rollback to the last known uncorrupted version of any file in the event of ransomware or accidental deletion. No local backup copies are held by NED.

Data Retention

Unless directed otherwise by the client, NED retains client materials — including deliverables, work product, engagement records, and client-provided source materials — in a secure, access-controlled archive for a minimum of seven years from the conclusion of the engagement. This practice serves two purposes: it allows NED to retrieve materials quickly on your behalf if needed for future reference, litigation support, regulatory inquiry, or follow-on work; and it conforms to standard professional services data retention practices consistent with applicable statutes of limitations and recordkeeping norms.

Archived materials are stored in a dedicated, access-restricted area of NED’s document management platform. They are subject to the same encryption, access controls, and security practices described on this page.

Download Security Summary

A printable summary of NED’s security practices is available for distribution to your compliance, legal, or IT team.

Download Security Summary ↓