How we handle your data, your code, and your access.
We’re a small studio without a compliance team. We compensate with simple, defensible practices, written into how every engagement runs — and we’re honest about what we don’t have.
Code, IP, credentials, data — yours.
The single biggest difference between us and a typical agency: when an engagement ends, you have everything you need to keep going without us.
Delivered to your repo, your accounts, your infrastructure — not ours. We work in your GitHub, your cloud, your domain from day one.
Assigned to you in writing as part of every SOW. No carve-outs, no shared-ownership clauses, no license-back to us.
Rotated to you at handoff. Anything we held during the engagement is deleted from our password manager and personal devices once the work is signed off.
Stays in your environment. We don’t ingest your production data into anything we run, train on, or share.
Least access, time-bound, written down.
Least-privilege by default
We ask for the minimum access required to ship. Read-only first, write when the work demands it, admin only when there’s no other way.
Time-bound credentials
Where the platform supports it (cloud IAM, GitHub apps, scoped tokens), credentials are issued for the engagement window and expire automatically.
Shared secrets in 1Password
Anything that needs to move between us and you lives in 1Password (or your equivalent). No plain-text secrets in chat, email, or tickets.
Hardened personal devices
Full-disk encryption, screen lock, and auto-update enforced on every machine that touches your code. Personal accounts are not permitted on engagement work.
Pre-commit secret scanning
Secret scanners run on every commit before it leaves a developer machine. Your secrets do not end up in our git history.
Honest beats aspirational.
The credibility of this page is in the negative space. If you need any of the below, tell us on the first call and we’ll help you figure out whether we’re the right fit.
No SOC 2, ISO 27001, or HIPAA
We don’t hold any of these certifications. If your buyer or auditor requires a certified vendor, we’re probably not the right fit — and we’ll tell you that on the first call instead of trying to white-knuckle through.
No enterprise cyber liability coverage
We don’t carry cyber liability insurance at the levels enterprise procurement teams typically require. Ask before assuming we can sign your standard E&O addendum — sometimes we can negotiate the terms, sometimes we can’t, and we’d rather know up front.
No long-running production for you
We build, hand over, and stay reachable for support. Your operations live on your infrastructure under your team’s ownership — we aren’t a managed-services shop and we don’t want to become one inside your stack.
The paper trail you’d expect.
Yours or ours. Either is fine. Mutual is the default.
Every engagement runs under a written SOW. Scope, fee, timeline, and IP assignment are all spelled out before work starts.
We sign your MSA after a real read. Reasonable indemnification, mutual confidentiality, capped liability — happy to negotiate. We don’t rubber-stamp.
If your business needs a Data Processing Agreement, send it over. We’ll review yours rather than push you onto a generic template.
What runs in our shop.
We keep the list short on purpose. Everything below is named so you can run it past your own security team before we sign.
Source control and CI for engagement work. Your repository, your organization, your branch protection rules.
Common deployment defaults. The engagement decides where things actually run, and the accounts are yours.
OpenAI, Anthropic, or similar — only when an engagement uses one. The model and provider are agreed up front, and the API keys are configured in your account, not ours.
We don’t pipe your data into third-party analytics tools or AI training pipelines. If any tool is in the loop, it’s named in the SOW.
Operator-level, not enterprise SOC.
Response window
We respond within 1 business day to security concerns reported to ryan@shiftdevstudio.com.
Discovery disclosure
If we discover a security issue in code we delivered, we tell you within 1 business day of discovery — even if we caught it ourselves and already have a fix in flight.
No 24/7 SOC
We don’t run a 24/7 security operations center. If you need one, that’s your in-house team or a managed SOC vendor — and we’ll happily build with that vendor in the loop.
Ask before you sign.
If something here is unclear, or your procurement team needs more detail, email ryan@shiftdevstudio.com or book a 30-minute call. We’ll give you a straight answer.