Yes—NDA is default. We execute a mutual NDA before deep technical discovery and share sensitive assets on a need-to-know basis.

The client owns all work product and derived IP upon payment. We may use approved OSS under permissive licenses; NOTICEs are preserved.

How do you handle data and access?

Least-privilege access via IaC, MFA, segregated environments, encryption in transit/at rest, PII separation, and clean offboarding. Secrets never live in code or long-lived CI variables.

Policies & Practices

Security & IP Protection

Straight rules. No ambiguity. Below is how we protect your IP, data, and uptime across every engagement.

Last updated: Apr 06, 2026

NDA by default

Client owns IP

Least-privilege access

Segregated environments

Encryption everywhere

Observability & SLOs

Explicit vendor approval

Clean offboarding

NDA is Default

Mutual NDA executed before deep technical discovery.
Need-to-know access to docs, repos, environments.

IP Ownership & OSS

Client owns all work product and derived IP upon payment (MSA + SOW govern).
Permissive OSS (MIT/Apache-2/BSD) may be used with explicit approval; NOTICE files preserved.
No copyleft dependencies introduced without written approval and legal review.
We maintain third-party attributions in a /NOTICE or /THIRD_PARTY file as applicable.

Access Control

Least-privilege IAM. Role-based access via IaC (Terraform/CDK), peer-reviewed changes.
Segregated dev/stage/prod accounts or environments; separate credentials and policies.
MFA required; keys rotated; no long-lived credentials in CI.
Secrets in managed stores (e.g., AWS Secrets Manager/SSM). Never in code or tickets.

Data Handling

PII logically separated; encryption in transit (TLS) and at rest (KMS/managed keys).
Data minimization in lower environments (masked or synthetic fixtures).
Audit logs retained; sensitive fields redacted at source or via processors.
Backups with tested restore procedures; RPO/RTO targets documented in runbooks.

Observability & Incidents

SLOs defined for availability/latency/error rate; dashboards and alerts routed to on-call.
Runbooks maintained; post-incident reviews with action items and ownership.
Change management via PRs, CI checks, and deployment approvals.

AI & Model Usage

No training of third-party models on client proprietary data without written approval.
RAG pipelines: content stays within approved storage; access enforced by app-level authZ.
Model/vendor selection documented (capabilities, regions, data retention, egress).
PROMPT/response logs scrubbed for PII/secret material before persistence (if any).

Vendors & Subprocessors

Typical vendors: GitHub (source), AWS (infra), Cloudflare/New Relic (if applicable). Additional vendors require prior approval, documented purpose, region, and data classification. Access scoped per environment.

Offboarding & Handover

Access revoked via IaC and SSO; tokens rotated; service users disabled.
Assets delivered: source code, infra state, design files, diagrams, runbooks, credentials via sealed channel.
Optional security/architecture review and knowledge-transfer session.

Company: MSCLOUDTECH OU (Estonia). Engagements governed by MSA + SOW. This document summarizes operational practices; contract terms take precedence where they differ.