Having worked with mid-market clients, we’re always prepared to meet the vendor onboarding requirements of IT, procurement and legal teams.
Step 7 Consulting operates with the professionalism, documentation, and security practices that mid-market and enterprise IT, procurement and legal teams require — without the overhead of a large firm. This page outlines what your team needs before we begin and the controls we maintain across every engagement.
If you need a Certificate of Insurance, security questionnaire response, W-9, or MSA, contact us and we’ll turn it around promptly.
What to Expect
A summary of what your IT, procurement and legal teams can expect from us:
- NDA. Executed prior to any discussion involving proprietary business information. We have a standard form or will work with your template.
- Master Services Agreement (MSA). Our standard MSA template is available. Client templates are accepted and reviewed promptly.
- Statement of Work (SOW). Every engagement is scoped in a written SOW defining deliverables, timelines, and access requirements before work begins.
- Certificate of Insurance. Available on request for qualified engagements, including additional insured endorsements where required.
- Security questionnaire. We welcome and respond to vendor security questionnaires as part of your procurement process.
- W-9 and business verification. Step 7 Consulting, Inc. is a registered Washington State business entity. W-9 and business registration documentation available on request.
Start a Conversation
If your team is evaluating Step 7 as a vendor and needs documentation, questionnaire responses, or a conversation about specific requirements, we’re ready to help.
→ Contact us to request insurance certificates, security documentation, or to kick off a procurement conversation.
→ Schedule a Consultation to discuss an upcoming engagement.
Insurance Coverage
Step 7 Consulting carries active Professional Liability (E&O) and Cyber Liability insurance. Certificates of Insurance are available upon request for qualified engagements.
Professional Liability (E&O)
Errors & Omissions coverage protects clients against claims arising from professional services, software deliverables, or advice provided in the course of an engagement.
Cyber Liability
Cyber Liability coverage addresses risks arising from data incidents, unauthorized access, and technology-related claims associated with client engagements.
Certificate of Insurance
Certificates of Insurance (COIs) are available on request for qualified engagements. Additional insured endorsements can be accommodated where required by your procurement process.
Data Handling & Confidentiality
How we treat client data before, during, and after an engagement:
- Mutual NDAs as standard practice. Every engagement begins with a mutual non-disclosure agreement prior to any exchange of sensitive information.
- No unnecessary data retention. Client data, credentials, and documents are retained only for the duration of active project work and deleted upon project close per a defined offboarding process.
- Minimum necessary access. We operate on a least-privilege model — requesting access only to the systems and data explicitly required to complete the defined scope of work.
- No sharing with third parties. Client data, business logic, and proprietary processes are never shared without explicit written consent.
- AI tool usage transparency. When AI-assisted tools are used in delivery, clients are informed. No proprietary client data is submitted to third-party AI systems without explicit approval.
Access & Credential Security
Controls governing how client systems are accessed and credentials are managed:
Multi-Factor Authentication
MFA is enforced on all accounts used for client system access, including cloud consoles, SaaS platforms, and collaboration tools.
Secure Credential Handling
API keys, passwords, and secrets are stored in dedicated secrets management tooling — never in source code, plaintext files, or email.
Access Revocation at Close
All credentials and permissions are formally revoked at engagement close.
Infrastructure & Development Security
Practices governing code, environments, and tooling on client engagements:
- Version control with access controls. All code is maintained in version-controlled repositories with appropriate branch protection and access restrictions.
- Environment separation. Development, staging, and production environments are maintained separately. Production access is restricted and auditable.
- Encrypted communications. All communications containing sensitive information occur over encrypted channels — TLS/HTTPS, encrypted email, or secure shared workspaces.
- Dependency awareness. Third-party libraries and dependencies are reviewed for known vulnerabilities prior to use in client-facing systems.
- Current patch discipline. Development tooling, operating systems, and software dependencies are kept current with security updates.
Regulatory & Compliance Familiarity
Step 7 works across regulated industries and designs systems with the data handling obligations of those environments in mind.
Financial Services & Fintech
Extensive experience architecting systems that integrate with regulated financial infrastructure — including ACH, Plaid, Dwolla, and Salesforce — with awareness of the data handling obligations these environments carry.
Data Privacy (GDPR / CCPA)
Familiarity with data minimization, purpose limitation, and right-of-erasure principles. These inform system design regardless of whether full regulatory compliance is explicitly in scope.
HIPAA Awareness
Awareness of HIPAA requirements for projects touching health-related data.
SOC 2
We are able to work within and support client environments undergoing or maintaining SOC 2 certification.
