Master Services Agreement | Terms of Use | Privacy Policy | Data Security

DATA SECURITY MEASURES ADDENDUM

Aaron Ott Coaching | www.aaronottcoaching.com/data-security
Version 1.0 | Effective Date: January 1, 2026 | Last Updated: February 24, 2026

This Data Security Measures Addendum (“Addendum”) describes the technical, administrative, and organizational safeguards implemented by Aaron Ott Coaching (“Coach”) to protect Confidential Information and Client Data as referenced in Section 9 of the Master Services Agreement (MSA) Version 1.0. This Addendum is incorporated by reference into the MSA and is available at www.aaronottcoaching.com/data-security.

Coach is committed to maintaining reasonable and appropriate security measures consistent with the nature and sensitivity of the data handled and the size and scope of Coach’s practice.

1. Access Controls & Authentication

  • All business platforms and applications are accessed using unique, long, complex diceword-style passwords that are not reused across platforms.

  • Passwords are stored and managed using a dedicated password manager (e.g., 1Password, LastPass, or Bitwarden) to ensure secure generation, storage, and retrieval.

  • Multi-factor authentication (MFA) is enabled on every platform and service that supports it, including email, cloud storage, payment processing, video conferencing, and AI tools.

  • Access to client data is limited to Coach and is not shared with employees, subcontractors, or third parties unless expressly disclosed in the Privacy Policy or MSA.

2. Device & Endpoint Security

  • Coach’s primary laptop hard drive is encrypted using full-disk encryption (e.g., FileVault or BitLocker) to protect data at rest in the event of device loss or theft.

  • All mobile devices used for business purposes are secured with biometric authentication (e.g., Face ID, fingerprint) and device-level encryption.

  • Devices are kept current with operating system and application security updates.

  • A VPN (Virtual Private Network) is used when accessing business systems on public or untrusted networks, including while traveling.

3. Data Encryption

  • Data in transit is protected via TLS/SSL encryption on all web-based platforms used by Coach (including Stripe, Google Workspace, Microsoft 365, Zoom, Calendly, Fireflies.ai, and Pocket).

  • Data at rest is encrypted on Coach’s local devices via full-disk encryption and through the native encryption provided by each third-party platform’s paid tier.

  • Payment data is processed exclusively through Stripe and is never stored on Coach’s systems. Stripe maintains PCI-DSS compliance.

4. Third-Party Platform Security

Coach uses paid (non-free) tiers of all third-party platforms used in the delivery of coaching services, which generally include enhanced security features, enterprise-grade encryption, and data handling commitments. The platforms currently in use are listed in Section 4 of the Privacy Policy.

Coach selects platforms that maintain their own security certifications and data protection commitments. Coach periodically reviews the security posture and privacy policies of third-party platforms.

5. Session Recording & AI Tool Security

  • Session recordings and AI-generated transcripts are stored on the respective platforms (Fireflies.ai, Pocket) and are subject to those platforms’ security and encryption standards.

  • Coach does not store session recordings on unencrypted local media.

  • Access to recordings and transcripts is limited to Coach and is not shared with third parties unless required by law or with Client’s written consent.

  • Clients are informed when recording or AI tools are active, per the MSA and Privacy Policy.

6. Data Retention & Secure Deletion

  • Client Data is retained for a minimum of three (3) years following the end of an engagement, consistent with the MSA and Privacy Policy.

  • Clients may request deletion of their data at any time by submitting a written request to hello@aaronottcoaching.com.

  • Upon an approved deletion request or after the expiration of the minimum retention period, data is permanently deleted using each platform’s native delete functions (e.g., permanent delete in Google Workspace, Fireflies.ai, Stripe dashboard, etc.).

  • Coach will confirm deletion to the Client upon completion.

  • Anonymized or aggregated data that does not identify any individual client may be retained for business improvement purposes.

7. Cyber Incident & Breach Response

In the event of a Cyber Incident (as defined in the MSA) that affects Client Data or Confidential Information, Coach will follow this response protocol:

a. Detection & Containment. Upon discovering or being notified of a potential security incident, Coach will take immediate steps to contain the incident, including changing passwords, revoking access, or disabling compromised accounts as appropriate.

b. Assessment. Coach will assess the scope and nature of the incident, including which data and which clients may be affected.

c. Notification. Coach will notify affected clients via email as soon as reasonably practicable after discovery of the incident, providing a description of the incident, the types of data potentially affected, and the steps being taken to investigate and remediate.

d. Remediation. Coach will take commercially reasonable steps to remediate the incident, prevent recurrence, and cooperate with any client inquiries. This may include engaging third-party security professionals if warranted.

e. Documentation. Coach will document all incidents, response actions, and outcomes for internal records and to support continuous improvement of security practices.

f. Regulatory Compliance. If required by applicable law, Coach will file any necessary breach notifications with regulatory authorities.

8. Physical Security

  • In-person coaching sessions are conducted in private settings appropriate for confidential conversations.

  • Physical documents containing Client Data (if any) are stored securely and disposed of by shredding when no longer needed.

  • Coach does not maintain a shared office or co-working space where Client Data would be accessible to unauthorized individuals.

9. Training & Awareness

As a sole practitioner, Coach maintains personal awareness of cybersecurity best practices, including recognition of phishing attempts, social engineering, and other common attack vectors. Coach stays current with security advisories and recommendations from platform providers.

10. Updates to This Addendum

Coach may update this Addendum as security practices evolve. Active clients will be notified of material changes via email at least 7 days before changes take effect. The current version of this Addendum is always available at www.aaronottcoaching.com/data-security.

11. Contact

For questions or concerns about these security measures, please contact:

Aaron Ott Coaching
hello@aaronottcoaching.com
www.aaronottcoaching.com