We treat your project like it's confidential.
Because it is.
We work in healthcare, fintech, and energy — sectors where security controls, IP ownership, and data handling are not checklist items. This page explains how we operate and what you can hold us to.
Confidential from the first conversation
Every engagement — from initial scoping call to final delivery — is treated as confidential. We do not disclose client names, project details, technical architectures, or business problems to third parties without explicit written consent.
We sign mutual Non-Disclosure Agreements before any substantive technical discussion. If you arrive without an NDA template, we use our standard form. We are comfortable signing yours. The conversation can start before the paperwork is complete — but the paperwork will be complete before we receive any sensitive data.
Your IP is yours. Completely.
All work product, code, designs, models, and documentation produced during an engagement are assigned to you on delivery. We retain no licence, reuse rights, or portfolio rights without your explicit written consent.
We use no proprietary Insoftex frameworks or internal libraries that would create dependency on us. Every deliverable is built to be maintained and extended by your team or any competent engineering partner after we finish.
Built for regulated environments
We work in healthcare, fintech, and energy — sectors where security controls are non-negotiable. Our team follows HIPAA-aware data handling practices by default, including minimum necessary access, no PHI in logs, and encrypted data at rest and in transit.
For financial clients, we design with PCI-DSS and SOC 2 controls in mind from day one — not as a retrofitted compliance layer. We include audit trail design, access controls, and incident response in our architecture reviews.
Regulated-industry requirements are discussed explicitly during our AI Readiness Assessment and documented in the architecture proposal before any production code is written.
Your data is not our training data
Client data — including samples shared for analysis, test datasets, or production data accessed during delivery — is used exclusively for the purpose of delivering the agreed engagement. We do not use it for product development, internal tooling, or AI model training.
Data shared with us is stored in encrypted form, access-controlled to the team members who need it, and deleted or returned at engagement close. We maintain a data handling log for each engagement on request.
When we use third-party AI APIs (OpenAI, Anthropic, Google, etc.) as part of your delivery, we configure them to opt out of training data programmes and document this in your architecture records.
Screened, senior, and accountable
Everyone who accesses client systems or data is a named member of our team — no anonymous contractors, no unvetted subcontractors. Team members working in regulated-industry engagements undergo identity verification and background screening.
Access to client infrastructure is provisioned per engagement and revoked on completion. We do not retain access to client systems, repositories, or environments after the engagement closes unless you explicitly invite us to.
We use hardware-enforced MFA across all internal systems and enforce encrypted disk storage on all engineer machines.
If something goes wrong, you hear from us first
In the event of a suspected or confirmed security incident that affects client data or systems during an active engagement, we notify you within 24 hours — before we have all the answers, not after we've investigated it quietly.
We maintain an incident response protocol that covers detection, containment, notification, and post-incident review. Client-specific contacts and escalation paths are confirmed at engagement start.
Ready to start a confidential conversation?
All project discussions are treated as confidential from the first contact. We sign mutual NDAs before any sensitive technical disclosure.