// trust & security
Trust, security, and compliance.
What our buyers verify before signing — consolidated, not buried in a legal page. NDA in 24 hours, vendor security questionnaires returned in 3 business days, written incident-response plan on file.
Compliance posture
We're honest about where we are versus where we're going. No certification we don't hold, no ambiguous wording.
Policies in place, evidence collection running. We return vendor packets in 3 business days. No claim of an active SOC 2 report — that's a roadmap item, not a current attestation.
Controls documented and aligned. We've supported clients through their own ISO 27001 audits. Not yet certified ourselves; honest about the distinction.
Argentine entity adheres to the EU adequacy framework. Standard DPA available; data-processing terms can be added to the MSA on request.
We've shipped FIPS-readiness work in production for client cryptographic services, including 17 power-on self-tests, KATs, and audit-trail evidence. Our HSM Enterprise has a FIPS 140-3 certification roadmap.
We've operated inside PCI-DSS-scoped systems for fintech clients — payment gateways, HSM migrations, ISO 20022 pipelines. We don't hold a PCI attestation ourselves; we've worked under our clients' attestations.
How we secure your code
Specific practices, not slogans. These are the contractual defaults; specific engagements may add controls on top.
- NDA returned signed inside 24 hours; we sign yours or send ours
- All work-product IP transfers to you on payment; written into every SOW
- Secrets stay in your vault — we never store production credentials in our infrastructure
- Signed Git commits; mandatory two-person code review on every PR
- Static analysis and dependency scanning (SAST + SCA) in CI on every change
- Dependency updates on a monthly cadence with regression testing
- No outbound data egress without explicit written approval; air-gapped engagements supported
- Incident notification SLA written into the MSA
People security
Who has access to your code, and how that access is controlled.
- Direct Craton employees; no subcontracted marketplace, no body-shop layers
- Background checks on every engineer before they touch a client repo
- Confidentiality clauses in every employment contract, surviving termination
- Hardware-backed MFA on every account that touches client systems
- Per-engagement access provisioning; revoked within one business day on offboarding
- Quarterly access reviews on long-running engagements
Frameworks we've delivered against
These are the regulatory frameworks our engagements have produced audit-ready evidence for, grouped by industry. They aren't certifications we hold — they're the standards your engagement will sit inside, and the ones we've operated under before.
Data residency and access
Where your code and data live, and who can touch them.
- Default: data stays in your infrastructure; we don't replicate production data to ours
- Cloud regions: AWS, GCP, Azure — pinned to the region your contract specifies
- Air-gapped engagements supported with on-prem-only access
- Access logs preserved for the engagement plus 90 days post-termination
- Offboarding revocation: SSO + repo + Slack + on-call within one business day
- On request: we'll route through your VPN or zero-trust gateway, not direct repo access
Incident response
Written plan, tested cadence, defined notification SLAs.
- Written incident-response plan on file; available to clients under NDA
- Notification SLA: 24 hours for confirmed security incidents touching your data
- Post-mortem delivered in writing within 5 business days of resolution
- Quarterly DR / IR exercises on long-running MSP engagements
- On-call rotation with documented escalation paths
- Client-side coordination: we plug into your IR process if you have one
// vendor security packet
Procurement asking hard questions?
Send us your security questionnaire — we typically return inside 3 business days, signed NDA on day one. Or talk to engineering directly: no sales-call gating on technical security questions.