Security & compliance

← Back to home

This page summarizes how we approach security, confidentiality, and procurement-driven reviews. It is informational and does not replace agreements signed for a specific engagement.

Contact for security & vendor reviews

Email security@odducksyndicate.com for security questionnaires, data processing agreements (DPAs), supplemental terms, or incident notifications related to services we provide to you.

Confidentiality & NDAs

We routinely execute mutual or one-way non-disclosure agreements before detailed discovery, architecture reviews, or access to client systems. Standard templates are welcome; we can mark up or propose balanced language for B2B work.

Data processing (DPA / GDPR-style requests)

Where we process personal data on your behalf as a processor, we can execute a Data Processing Agreement (DPA) that reflects the roles defined in your project agreement. Specific subprocessors and locations depend on the stack and hosting you approve for the engagement.

Vendor questionnaires

We complete security and procurement questionnaires (SIG, CAIQ-style, or custom Excel) based on our actual practices and the services in scope. Turnaround time depends on complexity; share your template and deadline when you open a request.

Operational practices (high level)

  • Least-privilege access to client systems and repositories; credentials and keys are not shared in plain text.
  • Separation of production and non-production environments where projects require it.
  • Dependency and patch strategy aligned with each client’s SLA and change windows.
  • Incident handling coordinated with your security team when we manage infrastructure or code under contract.

Certifications

We do not claim third-party certifications (e.g. SOC 2 Type II, ISO 27001) on this site unless we hold them in valid form. If your program requires a specific attestation, ask—we can discuss roadmap, alternatives, or customer-specific controls.

Payments

Card and payment data for website payments are processed by Stripe. See Stripe’s security documentation and our Privacy Policy for how we handle related transaction metadata.