123OutSourced

Legal

Trust & Security

Last updated: May 16, 2026

A plain-English overview of how 123 OUTSOURCED, LLC protects client data. For a signed legal commitment, see our Data Processing Agreement.

Security posture, in honest terms

We operate to SOC 2 Trust Services Criteria — security, availability, confidentiality, processing integrity, and privacy — but we are not yet SOC 2 audited. We describe ourselves as SOC 2-aligned, not SOC 2-certified. A Type I audit is on our 2026 roadmap. Until then, the controls below are what we actually run; clients can request our internal control matrix under NDA.

Data protection in transit & at rest

  • TLS 1.2+ enforced on every public endpoint; HSTS preloaded.
  • AES-256 encryption at rest for the application database and object storage.
  • Secrets stored in a managed secret vault; never committed to source control.

Access control

  • SSO with mandatory MFA for every operator account.
  • Role-based access; per-tool, per-client least-privilege assignment.
  • Quarterly access reviews; immediate revocation on operator departure.
  • Row-level security on the multi-tenant database so clients only see their own data.

GDPR & US state privacy laws

  • Lawful basis documented per processing activity (contract, legitimate interest, consent).
  • Records of processing maintained under GDPR Art. 30.
  • Data subject requests (access, deletion, portability) handled within 30 days — email privacy@123outsourced.com or submit a tracked DSR.
  • EU Standard Contractual Clauses (2021/914, Module 2) and UK IDTA available in our DPA.
  • Aligned with CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA and TDPSA (Texas) where applicable.

Sub-processors

We rely on a short, audited list of sub-processors for hosting, email, payments and CRM. The current list is available on request from privacy@123outsourced.com; clients on a signed DPA are notified 30 days before any change.

Backups & business continuity

  • Daily encrypted backups of the application database.
  • Documented restore runbook, tested quarterly.
  • Target RPO: 24 hours. Target RTO: 8 business hours.

Incident response

We maintain a written incident response plan. Confirmed personal-data breaches are reported to affected clients without undue delay and, in any case, within 72 hours of discovery, in line with GDPR Art. 33. Report a suspected incident to security@123outsourced.com or file a tracked report.

Responsible disclosure

Security researchers can report vulnerabilities to security@123outsourced.com. We will acknowledge within 2 business days and will not pursue legal action against good-faith research that respects user privacy and avoids service degradation.

Documents available on request

  • Signed Data Processing Agreement (DPA) with EU SCCs & UK IDTA.
  • Mutual NDA.
  • Internal control matrix (SOC 2-aligned, under NDA).
  • Sub-processor list with hosting region.

Email legal@123outsourced.com and we will respond within two business days.