A senior practitioner's name is on every engagement. That only matters if the paperwork, the credentials, and the operating principles are visible up front. This page collects them in one place — previews of the Business Associate Agreement, Master Services Agreement, and Data Processing Addendum, the founder's verifiable credentials, and a written list of behaviors that are off the table at Obsidian Ridge.
CISSP-led — senior practitioner on every engagementHuntress Authorized Partner
Agreements we sign
BAA, MSA, and DPA — previewed here, signed before any work begins.
Every engagement begins with the paperwork it actually needs. Below is the template language; the full executable documents come back during the briefing once we know which apply.
Business Associate Agreement
BAA — HIPAA-covered engagements
Template language we sign with every HIPAA-covered client before any protected health information is touched. Defines permitted uses, safeguards, breach-notification timing under §164.410, subcontractor flow-down, and termination. The full document is available on request from the practitioner during the briefing.
Covered before any PHI is accessed — never after
Subcontractor flow-down to the Huntress platform and the 24/7 SOC
Breach notification within 60 days of discovery, per §164.410
Mutual termination rights and 30-day data-return obligation
Master Services Agreement
MSA — the working framework
Our standard MSA spells out scope, payment, change orders, confidentiality, IP ownership, liability caps, dispute resolution, and termination. No multi-year auto-renew traps. Each Statement of Work attaches to the MSA so renewal terms stay visible on every engagement. Full document on request.
Mutual NDA already inside — no separate document to chase
Annual term with explicit renewal opt-in, not silent auto-renew
Liability cap and indemnity language reviewed against insurer requirements
Termination for convenience with documented data-return procedure
Data Processing Addendum
DPA — for clients with privacy obligations
Addendum we sign when a client is a controller subject to GDPR, the UK GDPR, the CCPA/CPRA, or another comprehensive privacy law. Defines processor obligations, sub-processor list, transfer mechanisms (SCCs where applicable), security-incident notification, and assistance with data-subject requests. Full document on request.
EU/UK Standard Contractual Clauses incorporated by reference where relevant
Sub-processor list maintained and made available to the controller
Security-incident notification without undue delay, with detail the controller needs to notify regulators
Assistance with data-subject access, deletion, and portability requests
The current version of any agreement is sent on request. Existing clients get notified before terms change — never silently.
Partner posture
Huntress Authorized Partner
Obsidian Ridge is a designated Huntress partner-of-record. That means we operate the Huntress Managed EDR, Managed ITDR, Managed Security Awareness Training, and Managed SIEM platforms end-to-end for our clients — deployment, alert triage, escalation handling, incident response coordination, and compliance evidence packaging. Huntress operates the 24/7 SOC behind the detection platforms; we add the practitioner program that turns the platform into an outcome.
Obsidian Ridge is led by a CISSP-certified security practitioner with 10+ years of cybersecurity experience spanning the IDF, the Israeli Government Tax Authority as Production Technical Lead, Deloitte in Digital Forensics & Risk Analytics, Varonis as a Cyber Security Architect, Cypress Creek Renewables as a Cloud Security Analyst, and TEKRiSQ as Director of Security Solutions — currently leading Zero Trust Island Browser deployment for a Fortune 500 airline. Work spans individual protection, small business security, and enterprise environments.
Each credential is verifiable through its issuing body on request. The full bio, employment history, and engagement scope live on the About page.
Operating principles
What we never do.
Sales-driven security firms tend to communicate what they do. We find it more useful to tell you what is off the table — in writing, on a page you can link to and hold us against.
We don't sell, rent, or share client data.
Briefing intake, newsletter sign-ups, and service operational data are used only to deliver the work you hired us for. Our revenue is service fees and channel partnerships — not data.
We don't lock clients into multi-year auto-renew contracts.
Foundation is month-to-month. Protected and Complete run on annual terms with an explicit renewal opt-in, not silent auto-renew. You see the renewal date before it happens, every time.
We don't recommend tools we wouldn't deploy for ourselves.
Affiliate and reseller relationships are disclosed at the link, on the privacy page, and at the routing layer (/go/<vendor>). If a payout would change our honest recommendation, we walk away from the deal — not from the recommendation.
We don't fabricate testimonials, case studies, or credentials.
Every case study is real and either named with written consent or anonymized at the client's request. Every credential listed below has a verification path on request. No stock-photo founders, no AI-generated reviews, no inflated headcount.
We don't run cross-site advertising pixels.
No Meta Pixel, no Google Ads remarketing, no X tracking. Site analytics are privacy-respecting page-view and event counts, no third-party trackers reading your visit.
We don't mark up the underlying security platforms.
Huntress Managed EDR, ITDR, SAT, and SIEM are pass-through-priced at Huntress' channel rate. We earn from Huntress' partner margin, not from a markup on your invoice. The premium is the practitioner program around the platform.
We don't pretend to be bigger than we are.
Obsidian Ridge is a CISSP-led practice with one senior practitioner on every engagement. We don't claim a 30-person SOC we don't have — Huntress operates the 24/7 SOC behind the detection platforms, and that relationship is named openly on every page that depends on it.
We don't use scare-tactic sales motions.
Briefings are free, 30 minutes, and we tell you when you don't need us. No urgency timers, no fake renewal pressure, no fear-driven upgrade emails. If the fit isn't there, we'll point you to something simpler — no hard feelings.
If you see us doing any of the above, email security@obsidianridge.ioand call it out. We'll confirm, fix, or explain — in writing — within two business days.
Related policies
Where the rest is written down.
Privacy & Affiliate Disclosure
How we handle data, what we collect, the affiliate and reseller relationships behind our revenue, and how we're paid in plain English.
How refunds, cancellations, and pro-rations work across Foundation, Protected, and Complete — plus the policy for fixed-fee sprints and incident response blocks.
Our WCAG 2.2 AA target, known limitations, and how to request an accessible alternative or report a barrier — with a two-business-day response commitment.
The full BAA, MSA, and DPA are sent during the briefing once we know which apply. The briefing is free, 30 minutes, and we tell you when you don't need us.
