We'd rather work inside your house than move your data into ours.
We prefer, and we work hard, to do our work inside your environment, on infrastructure you own and control. When your code and data stay behind your security boundary, they stay governed by your rules: your access controls, your logging, your retention. We don't become a second copy of your risk sitting somewhere you can't see.
So the first question on an engagement usually isn't how we'll secure the data we take from you. It's whether we need to take it at all. Most of the time, we don't.
Where AI tools enter the picture, the data rules get more specific. What's allowed near them, and what never is, all lives on our AI governance page.
The boring controls, and yes, we actually run them.
None of this wins an award. Full-disk encryption, endpoint security, single sign-on, multi-factor everywhere. It's table-stakes hygiene, which is exactly why it's worth saying out loud that it's in place and not optional for anyone who touches your work.
Full-disk encryption
Every machine that touches client work runs full-disk encryption, and managed devices can be remotely wiped if one is lost or stolen. A lost laptop is a hardware problem, not a client-data problem.
Endpoint security
Endpoint security runs on every machine that touches client work and stays current. If a device doesn't meet our security baseline, it doesn't touch client data.
Identity and access management
Single sign-on, multi-factor authentication, and device management across all team members and contractors, with no personal accounts touching client systems. We require two-factor on every SaaS product, rotate credentials on a defined cadence, and revoke access during offboarding when an engagement ends.
We also operate under internal privacy and security policies, the written kind people are actually expected to follow. Our public privacy policy and code of conduct live on the policies page.
When we do have to hold your data, fewer hands touch it.
Now and then an engagement genuinely requires us to take custody of production data, meaning the bits live on disks we control instead of inside your boundary. It's the exception, and we keep it rare on purpose.
When it happens, a defined policy decides who on our team is allowed near that data, and the list is short by design. Access goes to the people doing the work that needs it, and no one else. The rare case is the one we lock down hardest.
We'll sign the paperwork your industry runs on.
An NDA and a security addendum to the MSA are already in our standard contract package, so every engagement starts with confidentiality and security terms in writing. No special request required.
On top of that, when your industry carries its own required paperwork, we'll sign it. Here it is, by the rule that asks for it.
If your regulator names a document that isn't on this list, send it over. The answer is almost certainly yes.
What we hold today, and what we're still working toward.
We'd rather tell you the truth than imply a badge we haven't earned. Today, we don't hold SOC 2. We have plans to go through it, and realistically that lands in 2027, not sooner. Until then, what you get is the posture on this page: your data kept in your control, the basic controls actually running, and a tight rule for the rare time we hold anything at all.
We're working toward SOC 2 and won't claim it until it's real.