Security & Compliance

Enterprise clients and regulated industries require more than good code. They require proven security practices, clear data handling policies, and documented compliance support. Here's ours.

Data Security Standards

Code & Repository Security

  • All code stored in private, access-controlled repositories (GitHub/GitLab)
  • Branch protection rules enforced on all client repositories
  • Secret scanning enabled — no credentials ever committed to version control
  • Dependency vulnerability scanning on every PR (Dependabot / Snyk)

Infrastructure Security

  • Infrastructure as Code (Terraform) — all environments reproducible and auditable
  • Secrets managed via AWS Secrets Manager / HashiCorp Vault — never in config files
  • Network access controlled via VPC, security groups, and least-privilege IAM policies
  • All data in transit encrypted (TLS 1.2+)
  • All data at rest encrypted (AES-256)

Application Security

  • OWASP Top 10 mitigations applied by default on every project
  • Input validation and sanitisation at all API boundaries
  • Rate limiting and DDoS protection (Cloudflare / AWS WAF)
  • Authentication via industry standards (OAuth 2.0, JWT, MFA support)
  • SQL injection prevention via parameterised queries / ORM best practices
  • Regular dependency audits (monthly)

Compliance Support

GDPR (EU)

We design data architectures with GDPR principles from day one: right to erasure, data minimisation, consent management, and DPA-ready data processing agreements.

HIPAA (US Healthcare)

For HealthTech clients we implement HIPAA-compliant architectures including: PHI encryption, audit logging, BAA support, and access controls.

PCI-DSS (Payments)

For payment-processing products we use tokenisation (Stripe, Braintree) to minimise PCI scope and avoid storing raw card data.

SOC 2 Readiness

We can structure your infrastructure and logging practices to support your SOC 2 Type I/II audit — including access controls, change management, and availability monitoring.

Our Standard Agreements

  • NDA — Signed before discovery begins. No exceptions.
  • Code Ownership — 100% of code transfers to client on delivery. No vendor lock-in.
  • Data Processing Agreement (DPA) — Available on request for GDPR-regulated clients.
  • Non-Solicitation Agreement — Available for clients concerned about team poaching.

Responsible Disclosure

Found a vulnerability? Email security@inventiple.com.

We acknowledge within 24 hours and patch critical issues within 72 hours.

Questions about our security practices?