Security & Data Handling
We work with protected health information under formal Business Associate Agreements. If your project involves PHI — patient records, claims data, clinical notes, or any data covered under HIPAA — we'll execute a BAA before any data is shared.
We don't treat BAA execution as a bureaucratic checkbox. We understand what the agreement requires and operate accordingly: minimal data retention, no secondary use of client data, access limited to what the project requires, and prompt notification if anything goes wrong.
We process data in the United States by default. If your organization requires data to remain within a specific region or cloud environment, we'll work within those constraints from the start of the engagement.
We do not maintain long-term storage of client data after project delivery. Source data, intermediate outputs, and credentials are deleted or returned at project close unless we've agreed to an ongoing support arrangement with defined retention terms.
We follow least-privilege access principles on every engagement. We request only the permissions necessary to complete the work — read-only where possible, scoped credentials where not. We don't request admin access to production systems unless absolutely required, and we document every access point we touch.
Credentials are stored in environment variables or dedicated secret management tools, never in code repositories. At project close, we provide a list of all credentials and access points so your team can revoke them cleanly.
When AI or LLM components are part of a project, we apply additional scrutiny to data handling. We do not send personally identifiable information or protected health information to third-party AI APIs without explicit client authorization and a review of the vendor's data processing terms.
For sensitive environments, we scope AI work to use de-identified or synthetic data during development and testing. Where possible, we prefer locally-hosted or enterprise-tier AI services with contractual data processing protections. We'll document the AI data flow for every engagement that involves it.
We're happy to answer security and compliance questions before the scoping call. Describe your environment and we'll tell you what we can accommodate.