Security & Compliance

Security by design.
Compliance by default.

We don't just build systems for clients — we operate them in production. That means your data, your compliance, and your uptime are our direct responsibility. We treat that trust as an engineering requirement, not a checkbox.

Compliance status
GDPR Compliant
DPA available on request
Active
NDA-First Process
Digital signing, <5 min
Active
SOC2-Aligned Practices
Certification in roadmap
Active
Cloudflare WAF
DDoS & threat protection
Active
TLS 1.3 Encryption
All endpoints
Active
Data Residency
US · EU · IN
Available
Security controls

Encryption in Transit & at Rest

All client data is encrypted using TLS 1.3 in transit. Data at rest is encrypted using AES-256. No plaintext storage of sensitive information under any circumstance.

NDA-First Engagement

Every engagement begins with a signed mutual NDA before any architecture, data, or code is shared. Our digital NDA portal ensures this is completed in under 5 minutes.

Data Residency Options

We deploy client systems on AWS, GCP, or Azure with configurable data residency. US, EU (Frankfurt/Ireland), and IN (Mumbai) regions available on request.

Access Control & Least Privilege

Production system access is role-based and scoped to minimum required permissions. All access is logged. Credentials are rotated on a per-engagement basis.

GDPR-Compliant Data Handling

We act as a Data Processor under GDPR. A signed Data Processing Agreement (DPA) is available for all EU/UK engagements. We never share client data with third parties without explicit written consent.

Incident Response

Confirmed security incidents are communicated to affected clients within 4 hours of discovery. We maintain a written incident response runbook for all production systems we operate.

Secure engineering practices
Secure code review on every pull request before merge
Static application security testing (SAST) integrated in CI/CD
Dependency vulnerability scanning on every build
No client credentials stored in version control — secrets managed via environment vaults
Separate development, staging, and production environments for all client systems
Infrastructure as Code (IaC) — all infrastructure is auditable and reproducible
Penetration testing available on request for regulated-industry engagements
SOC2 Trust Service Criteria-aligned engineering practices
Data Processing Agreement

DPA available on request.

For EU/UK engagements, we provide a signed Data Processing Agreement in accordance with GDPR Article 28. Covers sub-processor disclosure, data subject rights, breach notification, and cross-border transfer safeguards.

Request DPA →
Non-Disclosure Agreement

NDA signed before day one.

Every engagement begins with a mutual NDA signed through our secure client portal. No architecture, codebase, or data is reviewed until the NDA is executed. Signing takes under 5 minutes.

Start engagement →
Vulnerability Disclosure

Responsible disclosure policy.

If you discover a security vulnerability in our systems or in systems we operate on behalf of clients, please report it to support@algobain.com. We acknowledge all reports within 24 hours and commit to resolving confirmed vulnerabilities within 72 hours.