Security Policy

Last Updated: October 28, 2025

At Bonfire AI LLC (“Bonfire AI”, “we”, “use”, or “our”), we understand that our clients and website visitors trust us with sensitive information, and we take that responsibility seriously. We maintain robust security measures to protect personal data and any confidential information entrusted to us. This Security Policy outlines key practices and safeguards we have implemented to ensure the integrity, confidentiality, and availability of data.

Data Encryption and Transmission

We use industry-standard encryption technologies to protect data. All web pages on our site are served over secure HTTPS connections, which means information you submit (for example, via our contact forms) is encrypted in transit using Secure Sockets Layer/Transport Layer Security (SSL/TLS). This encryption helps prevent unauthorized parties from intercepting your data while it moves between your browser and our servers. For any sensitive data that we handle in the course of our consulting services, our databases and file storage systems utilize strong encryption algorithms to safeguard data, adding an extra layer of protection in the unlikely event of unauthorized access.

Access Control and Confidentiality

Access to personal information and client data within our organization is restricted on a need-to-know basis. Only authorized Bonfire AI personnel and trusted contractors - including those in technical, operational, or business development roles - are granted access when required to fulfill their responsibilities. All employees and any third-party collaborators with access to data are bound by confidentiality agreements. Access logs are maintained where applicable, and we review permissions periodically to prevent unauthorized access.

Network and System Security

We maintain security protections on our systems and networks. Our website and internal systems are protected by firewalls and other security software to guard against unauthorized access and malicious attacks. We update and patch our software, servers, and applications to address security vulnerabilities and emerging risks. Additionally, we employ detection and prevention tools, and we segment critical systems to limit the impact of any potential security issue. Our hosting environments and service providers are chosen for their strong security track records. For example, if we use cloud infrastructure or third-party services, we ensure they have appropriate security certifications or compliance with standards, and we configure those services following security best practices.

Monitoring and Incident Response

We monitor our systems for signs of unauthorized access or unusual activity. This includes the use of detection systems, logging of key events, and review of security alerts. In the unfortunate event of a security incident or data breach, we have an incident response plan in place. This plan outlines steps to contain the incident, assess the scope of impact, and remediate the issue. As part of this plan, we will also notify affected parties and regulatory authorities as required by law. We are prepared to act quickly to mitigate any damage. If a breach involves personal data, we will provide timely notification to individuals (and any required regulators) with information on the nature of the breach and guidance on steps they should take to protect themselves, in accordance with applicable breach notification laws.

Third-Party Security and Data Handling

We work with reputable third-party vendors and service providers to support our operations (for example, web hosting providers, cloud service providers, and SaaS tools like Google Analytics and HubSpot). We vet these providers for strong security practices and require that they implement appropriate security measures to protect any data we entrust to them.

If, in the course of providing consulting services, we handle sensitive client data (for example, proprietary business information or personal data that our clients share with us), we treat such data with the highest care. We typically enter into confidentiality agreements or NDAs with our clients to formally commit to protecting their information. In cases where we may handle regulated data on behalf of a client — for instance, Protected Health Information (PHI) under U.S. healthcare laws — we will execute a Business Associate Agreement and comply with all applicable HIPAA requirements for safeguarding that information. We apply any additional security controls needed to meet specific industry regulations when handling client data (such as HIPAA, GDPR for EU personal data, or other frameworks relevant to our client's needs).

Compliance with Standards and Regulations

We comply with applicable data protection laws such as the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR), which include obligations to maintain reasonable and appropriate security measures for personal information. We stay informed about security standards and frameworks and continuously improve our safeguards in line with those guidelines. When dealing with particular sectors or types of data, we adhere to relevant standards (for example, as noted, we follow HIPAA Security Rule standards for health data, and we can adapt to other standards like PCI-DSS for any payment data, although our website does not currently collect payment information).

Team Member Training and Awareness

Security is not just about technology — it's also about people. We emphasize good security hygiene, such as using strong, unique passwords (with multi-factor authentication enabled on our accounts whenever possible), recognizing and avoiding phishing or social engineering attacks, and handling data in accordance with our privacy principles. We foster a culture of security awareness where team members are encouraged to be vigilant and immediately report any suspicious activities or potential vulnerabilities to our security team or management.

Ongoing Evaluation

We recognize that cybersecurity threats evolve rapidly. Therefore, we treat security as an ongoing process. We monitor developments in cybersecurity and data privacy, allowing us to assess and update our controls, systems, and policies to meet new challenges, address emerging risk and maintain a strong security posture to protect the trust that our clients and users place in us.

Questions or Reporting Concerns

If you have any questions about our Security Policy or if you believe you have discovered a vulnerability or security concern involving Bonfire AI, please contact us immediately. You can reach our security team at: security@bonfirestudios.ai (or through our main contact channels listed on our website). We take all reports seriously and will investigate any security issues promptly. We appreciate the assistance of anyone who brings potential issues to our attention, and we are committed to maintaining an open dialogue about security with our community.