Professional Liability (Errors & Omissions)
Hiscox$1M per claim / $2M aggregate
Covers claims arising from professional services — design errors, missed scope, integration defects discovered post-delivery.
Trust & Compliance - Everything procurement asks for, in one place.
Green Dolphin Software is structured for B2B enterprise engagement from day one. Insurance is in place. MSA and DPA templates are ready. Security posture is documented. Audit support is built into the standard contract.
Insurance - Active coverage via Hiscox.
Certificate of Insurance naming the client as Additional Insured is issued within 24 hours of contract signature.
Commercial General Liability
Hiscox$1M per occurrence / $2M aggregate
Covers third-party bodily injury, property damage, and advertising-injury claims arising from business operations.
Cyber Liability / Network Security
Hiscox$1M aggregate
Covers privacy and network-security claims, breach response costs, regulatory fines, and business interruption arising from a data incident.
Legal & Contractual - MSA, DPA, and audit support.
Standard contracts ready to share with your legal team under NDA. We adapt to client paper where reasonable; our standard terms are designed to be acceptable to Fortune 500 procurement.
Master Services Agreement (MSA)
Standard fixed-bid MSA template available for review under NDA prior to first engagement. California governing law. 50/50 payment terms. Liability cap = fees paid in the 12 months preceding the claim, with carve-outs for confidentiality, indemnification, and gross negligence.
Data Processing Addendum (DPA)
GDPR + CCPA + UK-GDPR compliant DPA available. Module 2 / Module 3 SCCs (EU 2021/914) for cross-border transfers. UK International Data Transfer Addendum for UK Personal Data. Sub-processor list maintained in DPA Annex 1.
Certificate of Insurance
COI naming the client as Additional Insured (where commercially available) issued by Hiscox within 24 hours of contract signature. Provided on request at any time during the engagement.
Compliance support
Engagements in regulated environments (HIPAA, SOX, FedRAMP, GDPR, CCPA, PCI-DSS, ISO 27001) supported. Compliance documentation pack included in Custom-tier engagements; available as add-on for Standard / Enterprise tiers.
Security posture - Technical and organizational measures.
The complete list of measures from Annex 3 of our DPA. Reviewed and updated periodically.
Access control
SSO with multi-factor authentication on all admin systems (GitHub, Vercel, Google Workspace, Slack, Anthropic Console). FIDO2 hardware security keys for admin accounts. Quarterly access reviews. Encrypted laptops with full-disk encryption.
Secret management
API keys and credentials stored in encrypted secret managers (Google Secrets Manager, Vercel encrypted environment variables, GitHub Encrypted Secrets). Never committed to repositories. Rotation on personnel change.
Code review & deployment
No direct-to-prod commits. Source code reviewed before deployment. Static analysis + dependency scanning on every build. Open-source components license-vetted; CVE alerts monitored.
Source code custody
During an engagement, code lives in Green Dolphin's GitHub Organization. On delivery acceptance, repositories transfer to the client's GitHub Org (or a client-owned archive with full commit history) — full IP transfer.
Data in transit + at rest
TLS 1.2+ for all data in transit. Provider-managed encryption at rest (GitHub, Google Workspace, Slack). Production credentials separated from development; tested with non-production data wherever possible.
Personnel
Background checks on personnel handling client data. Confidentiality agreements signed before any client data access. Annual security awareness training.
Incident response
Documented incident response process. 48-hour client notification SLA on confirmed Personal Data Breach. Post-incident root-cause analysis shared with affected client within 30 days.
Audit support
Once per twelve-month period, clients (or third-party auditors bound by confidentiality) may audit Green Dolphin's compliance with the DPA. Standard SOC 2 / ISO 27001 attestations from sub-processors are passed through where applicable.
Sub-processors - Who else handles your data.
Per our DPA, the following sub-processors may handle Personal Data on a client's behalf in the course of providing Services. New sub-processors are notified to clients at least 30 days in advance per the DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting (greendolphin.ai) | USA |
| Resend (Easymail Inc.) | Transactional email — intake form submissions | USA / EU |
| Anthropic, PBC | LLM API for the chatbot on greendolphin.ai | USA |
| Google LLC (Workspace) | Email (max@greendolphin.ai), Calendar, Drive | USA / EU |
| Slack Technologies, LLC | Slack Connect channels for client engagement communications | USA |
| GitHub, Inc. | Source code repositories during engagement | USA |
Need any of this for procurement?
Email max@greendolphin.ai with your request — Certificate of Insurance, MSA template, DPA template, security questionnaire response, or signed NDA. Standard turnaround within one business day.
Ready to scope an integration?
Six-step intake. Fixed-bid SOW returned in 3 business days. $25K floor, $25K increments.
Office
- San Ramon, California
Green Dolphin Software LLC
3635 Sandalford Way
San Ramon, CA 94582 - Get in touch
max@greendolphin.ai
(415) 215-3601