Security & Data Handling
Last Updated: May 14, 2026
This page documents Cold Creek's security posture, data handling architecture, and coordinated vulnerability disclosure process. It is intended for enterprise IT security reviewers, procurement teams, and security researchers.
1. Data Handling Architecture
Cold Creek's simulator stores all game state, including shift results, settings, and progress, exclusively in your own browser's localStorage. This data is never transmitted to Winter Howlers' servers or to any third party. There is no backend database, no user accounts, and no server-side session storage associated with simulator activity. The only outbound connections the simulator makes are to Vercel's infrastructure for the page itself and, if you submit the contact form on the /teams page, to FormSubmit.co for email forwarding. Neither of those connections involves your simulator game data. The practical consequence: Winter Howlers cannot be compelled to produce, disclose, or breach your simulator data because we do not hold it.
2. Transport Security
- TLS in transit: All page loads and form submissions use HTTPS (HSTS enforced via
Strict-Transport-Security: max-age=31536000; includeSubDomains). - Content Security Policy: Strict CSP including frame-ancestors limited to Vercel preview domains.
- Common headers: X-Content-Type-Options: nosniff, X-XSS-Protection, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy disabling camera, microphone, and geolocation.
3. Sub-Processors
| Provider | Purpose | Data Shared |
|---|---|---|
| Vercel Inc. | Website hosting, edge delivery, and anonymized analytics | IP address (anonymized for analytics), page views, Web Vitals metrics |
| FormSubmit.co | Email forwarding for /teams contact form submissions only | Form fields you submit (name, work email, company, role, industry, team size, message) |
No other third-party processors handle Cold Creek user data. This list is current as of the Last Updated date above. We commit to updating this page at least 30 days before adding any new sub-processor that handles user data.
4. Infrastructure Compliance
Cold Creek's infrastructure provider, Vercel holds SOC 2 Type II certification. Winter Howlers operates on top of Vercel's platform but does not separately maintain SOC 2 certification at this time. Enterprise customers requiring additional security certifications should reach out via /teams to discuss specific requirements.
5. Data Processing Agreement (DPA)
Enterprise customers may request a Data Processing Agreement by emailing hello@winterhowlers.com with the subject line "DPA Request." We respond within five business days.
6. Coordinated Vulnerability Disclosure
If you have identified a security vulnerability in Cold Creek, please report it to hello@winterhowlers.com. We commit to:
- Acknowledge receipt of valid reports within five business days.
- Provide a preliminary assessment within ten business days.
- Coordinate disclosure timing with the reporter.
- Acknowledge researchers who report valid findings (see Acknowledgments below).
Our machine-readable security contact follows RFC 9116 and is available at /.well-known/security.txt.
Please do not attempt denial-of-service, do not access user data that does not belong to you, and do not test against any third-party service we depend on (Vercel, FormSubmit). Reports involving social engineering of Winter Howlers personnel are out of scope.
7. Acknowledgments
We will acknowledge researchers who report valid findings to hello@winterhowlers.com. No reports have been received as of the Last Updated date.
8. Roadmap
The following items are on Winter Howlers' security roadmap for enterprise customers and are not currently available. Contact us if any of these are a requirement for your evaluation:
- Single sign-on (SSO) integration via SAML 2.0 or OIDC.
- Audit logging for enterprise customer activity.
- SOC 2 Type II certification (Winter Howlers, in addition to Vercel's existing certification).
None of these items have a published delivery timeline.
9. Contact
- Security email: hello@winterhowlers.com
- Subject line for vulnerability reports: "Security Report"
- Subject line for DPA requests: "DPA Request"
- RFC 9116 machine-readable: /.well-known/security.txt