Michael Morakis

Information Security Policy

How I handle your data.

When you hire me to rebuild your site, I gain access to your domain, your hosting, sometimes your database. Here is exactly what I do with that access.

What I get access to

Depending on your project, I may receive:

  • DNS provider login (to migrate the domain)
  • WordPress admin credentials (to export content)
  • Database dump or read-only DB access (for content + booking data)
  • Image and brand asset folders
  • Analytics and Search Console accounts

I never need access to financial systems, payment processors, customer support tools, or employee data. If something I do not need is offered, I decline and tell you.

How credentials are stored

  • I use 1Password as my sole credential vault. End-to-end encrypted, master-password-locked, hardware-key 2FA on the account.
  • Credentials sit in a per-client vault, isolated from other clients and from my personal credentials.
  • I do not store credentials in plain text, in code, in chat history, or in email.
  • When the project ends, your vault is exported to you (encrypted) and deleted from my side within 7 days unless you ask me to keep it for ongoing support.

How code and content are stored

  • Source code lives in a private GitHub repository, accessible only to me. On request, I add you as a collaborator before launch and transfer ownership at delivery.
  • Content exports (database dumps, image archives) sit in encrypted local storage during the project and are deleted within 30 days of launch.
  • No client content is ever stored on third-party "AI" services or LLM providers.

Third-party services I use during a project

  • Cloudflare — hosting, CDN, edge functions. SOC 2 + ISO 27001 certified.
  • GitHub — source control. SOC 2 + ISO 27001 certified.
  • 1Password — credential storage. SOC 2 certified.
  • Google PageSpeed Insights — performance audits (only sends your public URL, no credentials).

Encryption

  • All transit is HTTPS (TLS 1.3 where supported).
  • Production sites enforce HSTS.
  • Local backups are encrypted at rest using FileVault (macOS).
  • Credentials in transit between me and you go via 1Password share links (encrypted, time-limited) or Signal — never email or SMS.

Incident response

If a security incident affects your site or data — credential leak, deployment breach, exposed dump — I notify you within 24 hours of discovery, document what happened, and tell you what data may have been exposed and what I am doing about it. I do not wait to "investigate further" before telling you.

My access after the project ends

On final payment + handoff, I revoke all my own access to your systems within 7 days unless you have engaged me for ongoing support. You receive written confirmation when access is revoked.

Your rights

You can ask me at any time to:

  • List every system I currently have access to on your behalf.
  • Revoke specific credentials.
  • Delete any data of yours I currently hold.

I respond within 7 days, usually within 1. Email hello@michaelmorakis.com.

Last updated 2026-05-01.

← Back to michaelmorakis.com