CreativeGround Cybersec

Transparency & Trust

We operate with clear, verifiable practices around testing, reporting, encryption, and handling. This page explains what we collect, who can read it, how we route disclosures, and how we’re accountable to both clients and contractors.

Outcome over noise

• We prove realistic risk, not chase scan volume.
• Black-box testing mirrors real-world scenarios.

Duty to both sides

• We represent clients and protect contractors.
• We ensure legal scope, approvals, and safe delivery.

Least data, most clarity

• We minimise personal data and log access.
• We publish methods and accept scrutiny.

Evidence handling (whistleblowing & testing)

• Whistleblower evidence is readable by CreativeGround only, not by contractors.
• We decrypt in a segregated ‘evidence desk’ environment with access logging and four-eyes approvals for exports.
• We redact before sharing with companies or authorities—unless the reporter explicitly consents to share raw artifacts, or law requires it.
• All movement of evidence is recorded with timestamps, hashes, and approvers.

Note: We do not encourage or accept material obtained through unlawful access.

Encryption & keys

Submissions in the urgent modal are encrypted client-side. Evidence is encrypted to CreativeGround (so we can triage) and to the reporter (so they keep control).

PGP contact key

Key ID (short)

Unavailable

Public key (armored)

Not configured

Algorithms: OpenPGP (same key source as urgent modal).

Use of contractors & our responsibility

We focus on consulting and outsource pentesting to trusted partners under strict scopes. We ensure legality, approvals, and reporting are correct—and we take responsibility both ways: to protect contractors from unsafe asks, and to protect clients from unvetted activity.

• Scopes, timelines, and points of contact are documented and signed.
• High-risk tests require explicit written approvals and change controls.
• Delivery uses safe-handling: PoCs delivered with two-key transfer (client + contractor) so we can stage and verify without broad exposure.
• If reverse engineering or malware analysis is needed, we engage specialist partners under our controls.

Disclosure & mediation

For urgent risks to others’ data or safety, we can notify the relevant organisation or authority with anonymised details to protect the reporter. With consent, we can share redacted technical evidence.

Urgent hotline / portal Full disclosure policy

We are not a law firm. When appropriate, we coordinate with your counsel to meet legal obligations and timelines.

Retention & deletion

• Whistleblower metadata (routing info) retained for the minimum time needed to mediate.
• Encrypted evidence retained only while the case is active or where law/contract requires.
• On closure, we schedule deletion or return per agreement; logs and hash manifests are kept for audit where allowed.

Transparency summary

—

Open disclosures

Rolling, anonymised

—

Avg. first response

Business hours

Consent-based

Evidence exports

Redacted or legal requirement

We publish periodic summaries with counts and timelines. Personal data is not included.

Next step

Verify our key & see the policy

Compare the fingerprint above, then read how we handle intake, evidence, redaction, and disclosure timelines.

Read disclosure policy Talk to an expert