How we handle data, secure systems and meet the compliance requirements of regulated industries. Transparency is not a policy for us — it's how we work.
All production infrastructure deployed on AWS/GCP with VPC isolation, encryption at rest (AES-256) and in transit (TLS 1.3), secrets management via AWS Secrets Manager / GCP Secret Manager, and automated vulnerability scanning on every deployment.
Role-based access control, MFA enforced for all staff accounts, principle of least privilege, SSO via Okta, and quarterly access reviews. Client environment access is logged and time-limited.
SAST and dependency scanning in every CI/CD pipeline, code review required before merge, no secrets in version control, and annual penetration testing by an external firm.
Client data is never used to train our models unless explicitly contracted. Data is deleted within 30 days of engagement end unless retention is agreed. We maintain data processing agreements (DPAs) with all clients that handle personal data.
We've built production systems under GDPR, HIPAA, FCA requirements, FINTRAC, India's DPDP Act and ISO 27001-aligned practices. We engage external legal counsel for regulatory scoping on each regulated-industry engagement.
We are currently implementing SOC 2 Type II controls with a target certification date of Q4 2026. ISO 27001 certification is on the 2027 roadmap. Clients requiring certification today can request our current security questionnaire.
We maintain a documented incident response plan reviewed quarterly. In the event of a security incident affecting client data:
To report a security concern, contact security@stringlab.org. We have a responsible disclosure policy for external researchers.