Loading
Loading
Every collaboration runs on the same six pillars — security, NDAs, data privacy, QA gates, infrastructure, and the named bench. Written into the scope you sign, mutual on both sides, audit-ready from day one.
93
Controls mapped to ISO 27001:2022
6h
Backup cadence on production data
30
Day DSAR response target
25+
Specialists on the named bench
We operate our production environment to a control model aligned with ISO 27001:2022 and the SOC 2 Trust Services Criteria — continuous logging, encrypted storage, quarterly user-access reviews, a documented incident response plan, and a vendor-risk register reviewed every six months. The four control families that do the most work are below.
Every engagement starts with a mutual non-disclosure agreement before project-specific information is shared. We accept your template or send our own — a two-page mutual NDA covering confidentiality, permitted disclosures, term, and survival. Signature usually lands within 24 hours, often the same working day.
01
Step 01
You write in. We do not ask for project specifics yet.
02
Step 02
Your template, or ours — mutual, two-page, plain language.
03
Step 03
Counter-signed same working day in most cases.
04
Step 04
Project specifics flow under signed confidentiality.
Sample mutual clause
Verbatim from clause 4 of our standard mutual NDA. Identical obligations on both sides — we apply the same care to your material that you apply to ours.
Each party will hold the other's Confidential
Information in strict confidence, restrict access to
the individuals named on the Engagement Schedule,
and apply the same standard of care it applies to its
own confidential information — and no less than a
reasonable standard.
We process client data under data-minimisation principles, aligned to whichever regulatory regime fits the engagement. The matrix below shows how the three we cover most often differ in practice — same posture, different obligations.
European Union
GDPR
India
DPDP
United States
HIPAA
Every deliverable passes layered QA before it ships. The model is the same across practices — automated checks first, human review at the sign-off gate — but the specific gates are tuned to what each practice produces. We do not ship on a "probably fine" verdict; we ship after a named specialist has put their initials against the deliverable.
4 gates
4 gates
4 gates
4 gates
Edge cases — anything the gate flags as low-confidence — route to a senior reviewer with sign-off authority. Their initials, on the per-item log, are the last word. No ambiguity about who shipped what.
Paper records arrive at a secure intake facility. Digital production runs on a multi-region cloud with locally redundant storage. Backups land in a geo-redundant archive every six hours. Every administrative action — login, export, schema change — is captured in an immutable audit log retained for seven years post-engagement.
Secure facility
Multi-region
Geo-redundant
Recovery + retention objectives
4h
RTO — production env.
1h
RPO — actively edited
30d
Point-in-time recovery
7yr
Audit log retention
A bench of 116 specialists across five disciplines, plus project managers who own the named-lead role on every engagement. We staff each brief with people whose names appear on your scope; we do not pool work across projects, and we do not hand off mid-flight. If a named specialist becomes unavailable, we tell you before the next standup — not after.
Bench composition
Headcount
Standards, retention, named bench, sign-off gates — spelled out in the engagement scope so there is no ambiguity later.
Begin a brief