ArchCode
Trust & Transparency

Security & Access

Delivery work requires trust. This page explains how we handle access, secrets, and data when working with your systems.

Access control

  • We request the minimum access needed to complete the agreed scope — no more
  • We create separate named user accounts or service accounts where possible (not shared credentials)
  • Access permissions are documented and agreed before any work begins
  • All access is removed when the project closes

Secrets and credentials

  • Secrets are never committed to version control under any circumstances
  • We use your preferred secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) or a secure approach agreed in writing
  • Where secrets are rotated as part of the project, we document and coordinate the rotation with you
  • We do not store your credentials outside of your own systems

Auditability and change control

  • All infrastructure and configuration changes happen via pull requests where possible, providing a review trail
  • We document what was changed, why, and the rollback approach for each significant change
  • Progress and changes are tracked in a shared board visible to your team throughout the engagement

Data handling

  • We only access the systems and data needed for the agreed scope
  • We do not copy, transfer, or retain production data unless explicitly agreed in writing and required for the work
  • Any data accessed during the engagement is treated as confidential

NDA and confidentiality

  • We are happy to sign an NDA before any access is shared or detailed information is discussed
  • If you need an NDA, reply to our confirmation email or mention it on the fit call — we will arrange it before proceeding
  • All client information is treated as confidential regardless of whether a formal NDA is in place

Project close

  • At the end of every engagement, we remove all access granted during the project
  • Secrets or credentials used during the engagement are rotated where appropriate
  • A close-out checklist is completed and shared with you confirming all access has been removed

Questions about security?

If you have specific security requirements or procurement questions, get in touch and we will address them before any work begins.

Get in touch