// the data promise

The data promise.

Our work sometimes needs the keys to your business: your inbox, your store, your customer list. This page is the promise we make about how we treat them. It goes into every proposal we send, and it's one page on purpose.

Published · July 7, 2026
01

We access only what the work needs

Every engagement starts with a list. The proposal names each system we'll touch (say, your Shopify admin and your MailChimp account) and what we'll do in it. If a system isn't on the list, we don't log in to it. When the work changes, the list changes in writing first.

02

Credentials live in a locked vault

We'd rather not hold your password at all. Where a tool supports it, you invite us as our own user with a limited role, and you can remove that user any time in about a minute. When a shared password is the only option, it goes straight into an encrypted password manager with two-factor authentication turned on.

We never keep passwords in email, text messages, notes, or documents, and we never pass them to anyone else.

03

Your business stays separate from every other client

Everything about your business lives in its own folder, its own vault section, and its own AI workspace. Nothing gets mixed. We never use one client's information in another client's work, and we never tell your story publicly, even anonymized, without your written OK.

04

AI tools don't train on your data

We use AI tools on client work; that's the job. The accounts we use are business tiers that exclude your inputs from model training by contract, and a human reviews everything before it reaches you. The full detail is in our privacy policy.

05

When you say delete, we delete

Everything we build is yours: the files, the write-ups, the accounts. At handoff you get all of it. Ask us to delete our copies and we will, within 30 days, with written confirmation. The only exceptions are records the law makes us keep, like contracts and invoices.

You can also cut our access yourself at any point, mid-engagement or after. You don't need to ask, and you don't need a reason.

06

If something goes wrong, you hear it from us first

If a credential we hold is ever exposed, or a device or account we use is compromised, we tell you within 48 hours — what happened, what was touched, and what we've already done about it. Faster when the law requires it. We won't bury it, minimize it, or wait for you to notice.

07

Hold us to it

This promise ships with every proposal and engagement agreement. If you're a client and anything on this page doesn't match your experience, email us and we'll make it right.

The promise is made by
TM Works LLC (d/b/a Here Forward)