Security and compliance,
designed in — not bolted on.
SOC 2 Type II-aligned controls. HIPAA-aligned HealthTech delivery. PCI-friendly FinTech architecture. AI workloads deployed into your cloud with private VPC and audit logging. Vendor questionnaires, NDAs and IP assignment handled by default.
- SOC 2
- HIPAA
- PCI
- 5 days
What we actually do — without the marketing fluff.
Access management
Every engineer on a customer engagement is provisioned via least-privilege IAM into the customer's repos, cloud accounts and tools. Access reviews quarterly. Off-boarding within 24 hours of role change.
Encryption
TLS 1.2+ in transit. AES-256 at rest. Customer-managed KMS keys when required by the engagement.
Audit logging
CloudTrail / Azure Monitor / GCP Audit Logs enabled by default on every deployed system. Logs retained 365 days minimum; longer under HIPAA or PCI.
Change management
All production changes via reviewed PR + CI. Two-person rule on production deploys. Rollback path documented for every change.
Incident response
24-hour acknowledgement on Sev 1 / Sev 2. Post-incident review within 5 business days. Status communications to client during active incidents.
Background checks
Engineers undergo background checks before engagement onboarding. HIPAA-aware additional checks for PHI-bearing engagements.
Available under NDA on request.
- • SOC 2 Type II readiness report (interim, third-party assessor)
- • HIPAA-aware engineering handbook excerpts
- • Standard mutual NDA (US, UAE and India law variants)
- • Standard MSA (California-law default; UAE-law and English-law variants on request)
- • Incident-response playbook
- • Vendor security questionnaire — SIG Lite, SIG Core, CAIQ on request
- · Request the security pack →
Need our security documentation?
Tell us which artefacts you need (SOC 2, HIPAA, SIG / CAIQ, MSA, NDA). We respond same business day with the appropriate package under NDA.
- 1List your requirementsWhich framework, which questionnaire, which forms.
- 2NDA + pack within 24hMutual NDA, then the requested security artefacts.
- 3Vendor call (optional)30-min call with the security lead to walk through specifics.
- ✓ No sales pressure✓ Reply in 24h✓ NDA available
Frequently asked questions
Are you SOC 2 certified?
Our internal controls align with SOC 2 Type II — access reviews, audit logging, encryption at rest and in transit, change management, incident response. We are working toward formal certification; an interim report is available on request under NDA.
Can you work on HIPAA-regulated workloads?
Yes. We deploy customer data into your AWS / Azure / GCP account — not ours — with documented BAA-friendly architecture. Engineers sign HIPAA-aware NDAs before any PHI exposure, and the BAA is between you and your cloud provider.
PCI DSS for FinTech?
Yes. We don't host cardholder data ourselves; we integrate with Stripe / Adyen / Braintree-style processors and deploy PCI-friendly architecture into your account. PCI scope is minimised by design — we'd rather not be in scope at all.
Vendor security questionnaires (SIG / CAIQ)?
Yes. We've completed SIG Lite, SIG Core and CAIQ across multiple enterprise engagements. Turnaround is typically 5 business days.
Do you sign NDAs and assign IP?
Yes. Mutual NDA standard before any technical discussion. Full IP assignment to the client on engagement closeout — no carve-outs, no platform lock-in.
AI-specific security: data residency, model isolation?
We deploy LLM-based systems to your cloud with private VPC, role-based access, audit logging and customer-data-stays-in-region by default. We do not train or fine-tune on customer data without explicit written permission, and even then in a tenant-isolated environment.