Skip to main content

Security Policy

How we protect your data, code, and confidential information.

Last updated: June 2026

Security is foundational to our work. Whether we're reviewing your systems, writing code, or advising on architecture, we apply practical security controls to protect your data, code, and confidential business information.

Our Security Commitment

We treat your data and code as confidential by default. Confidentiality, integrity, and appropriate access control are part of every engagement.

Data Protection

Encryption

  • Data in transit is encrypted using HTTPS/TLS where supported by the platform
  • Data at rest is encrypted where supported by the storage or collaboration platform used
  • Client code repositories use SSH keys or secure HTTPS connections
  • Sensitive credentials are handled through secure vaults or approved client-controlled channels

Access Control

  • Principle of least privilege: access only to what's necessary
  • Multi-factor authentication is used for core team accounts where supported
  • Role-based or scoped access is preferred for client systems
  • Access is reviewed and revoked when engagements end or when it is no longer required

Data Retention

  • Client data is retained only as long as necessary for service delivery, records, or legal obligations
  • Source code and credentials are returned, transferred, or removed after engagement completion unless otherwise agreed
  • Operational records are retained only where needed for compliance, support, or business continuity
  • You can request deletion of eligible data through the privacy or support contact

Backup & Recovery

  • Important work in progress is backed up through approved repositories or secure collaboration platforms
  • Version control is used for code-based deliverables where applicable
  • Recovery expectations are defined by the engagement and the client's own operating environment
  • Client-owned backup and disaster recovery decisions remain under the client's control unless separately agreed

Secure Development Practices

When an engagement includes code, integration, or implementation work:

  • Code is reviewed for security-sensitive issues before delivery where applicable
  • Dependencies are reviewed for known risk where the scope includes dependency work
  • Secrets and API keys are never committed to version control
  • Security best practices follow OWASP guidelines
  • Infrastructure as Code (IaC), when included, is reviewed for common security misconfigurations
  • Specialist penetration testing can be scoped separately for critical applications

Confidentiality

Your business information, architecture diagrams, code, and strategic plans are confidential by default:

  • All team members sign NDAs before accessing client systems
  • Client projects are isolated from each other (no shared infrastructure)
  • We do not discuss your systems, challenges, or solutions publicly without permission
  • Case studies require explicit written consent
  • Communication channels use end-to-end encryption where possible

Infrastructure Security

Our own systems are managed with practical security controls:

  • Cloud infrastructure and site delivery use established providers where appropriate
  • Regular security patches and updates
  • Monitoring and access controls are applied to systems under our control
  • DDoS protection and web security controls are used where supported by the hosting layer
  • Development and production access are separated where applicable
  • Security reviews are conducted as the site and internal systems evolve

Third-Party Services

When we recommend or integrate third-party tools:

  • We evaluate their security posture and compliance certifications
  • We review their data handling and privacy policies
  • We prefer vendors with SOC 2, ISO 27001, or equivalent certifications
  • API keys and integrations use scoped permissions (not full access)

Incident Response

In the unlikely event of a security incident:

  • We will notify affected clients within 24 hours
  • Incidents are investigated, documented, and remediated immediately
  • Root cause analysis and prevention measures are implemented
  • We cooperate fully with any required regulatory reporting

Compliance

We consider applicable legal and security frameworks during advisory and implementation work, including:

  • India: IT Act 2000, DPDP Act 2023 (Digital Personal Data Protection)
  • International: GDPR (where applicable for EU clients)
  • Industry Standards: OWASP Top 10, CIS Benchmarks, NIST guidelines

Vulnerability Disclosure

If you discover a security vulnerability on our website or systems:

  • Email us immediately at [email protected]
  • Provide details about the vulnerability (steps to reproduce, impact)
  • Allow us reasonable time to investigate and fix the issue before public disclosure
  • We will acknowledge and respond within 48 hours

Your Responsibilities

Security is a shared responsibility. We ask that you:

  • Provide access credentials securely (never via email or unsecured channels)
  • Inform us immediately if credentials may have been compromised
  • Revoke access promptly when our engagement ends
  • Follow security recommendations we provide during audits or advisory work

Security Questions or Concerns?

If you have questions about our security practices or need to report a concern:

Security Team: [email protected]

General Inquiries: [email protected]

Privacy Matters: Privacy Policy