Skip to main content
    Security & Compliance

    Security posture for enterprise engagements

    Enterprise buyers need concrete answers before the first line of code is written. This page is the short version — full policies, DPAs, and BAAs are available under NDA during procurement. If your RFP or security review questionnaire needs detail beyond what's here, write to info@tekpiq.com and we'll respond within one business day.

    Core controls

    Data handling & confidentiality

    Mutual NDAs are standard at the start of every engagement, covering commercial, architectural, and operational information. Client data is segregated per project and never used for training, benchmarking, or any purpose outside the scope agreed in writing.

    IP assignment & code ownership

    All source code, artifacts, and derivative works are assigned to the client on delivery. We use clean-room practices to avoid inadvertent contamination from other engagements, and we document provenance for any third-party or open-source code we introduce (with license compatibility review).

    Personnel vetting

    Every engineer who touches client code is a direct employee or long-term contractor — no anonymous marketplace sourcing. We background-check new hires, and client-facing engagements include identity verification of the engineers involved.

    Access control

    Production credentials are never shared by email or chat. We use the client's preferred secrets manager (1Password, AWS Secrets Manager, HashiCorp Vault, or equivalent), and enforce least-privilege scopes. MFA is required on every account we hold that can reach client systems.

    Secure SDLC

    Code review on every PR, dependency scanning in CI, secrets scanning pre-commit, and automated testing gates before merge. We maintain a lightweight threat model per project and revisit it at each major release.

    Incident response

    If we suspect a security incident affecting your systems, we notify you within 24 hours with what we know so far, and collaborate on containment and disclosure. We keep a runbook per client with escalation contacts and comms channels agreed up front.

    Compliance engagements

    We've built software for regulated domains (financial services, healthcare, access control) and are comfortable working inside your HIPAA, PCI-DSS, or GDPR compliance envelope. We'll sign BAAs, DPAs, and standard contractual clauses as required.

    Data residency & transfers

    For EU-based clients we support keeping data and hosting within the EU and will contract under GDPR-appropriate standard contractual clauses for any cross-border transfers. We don't offshore work to jurisdictions without adequate data protection.

    Certification roadmap

    We document what we're already doing and where we're going — never the other way around. The list below reflects our current state. We'll update this page whenever status changes.

    • ISO 27001 Information Security Management System

      In progress

      Gap analysis completed; implementing management system controls. Target external audit: to be announced once scoped.

    • SOC 2 Type 1

      Planned

      Planned once ISO 27001 controls are in steady-state operation.

    Procurement & legal

    We work with standard enterprise procurement processes. Typical artifacts we're comfortable completing: security questionnaires (SIG Lite, CAIQ), DPAs, BAAs, supplier-specific MSAs, and custom addenda. If your procurement pack includes anything unusual, send it over and we'll flag anything we can't commit to before the contract stage.