Security & AI Use

Security posture

Client data is handled with confidentiality and care. Security practices depend on the engagement scope and can be strengthened further for regulated or higher-sensitivity contexts.

Data handling

• Access is requested only when needed.
• Production access is avoided unless necessary.
• Secrets must be shared through secure channels, not email or chat.
• Public browser configuration such as the GTM container ID is treated separately from server-only secrets such as SMTP credentials or database paths.

Public website delivery

The public website is served over HTTPS. Production infrastructure is configured so public traffic is handled through the deployment edge before reaching the application runtime.

AI-assisted work policy

• AI tools are not used with confidential client data unless explicitly agreed.
• AI-assisted code is reviewed, tested, and treated as untrusted until validated.

Code review and quality

Every deliverable is reviewed against the agreed outcome, tested appropriately, and documented clearly enough to support handover and future maintenance.

Confidentiality

Client IP and confidentiality are respected. Any public proof or examples are kept deliberately conservative and anonymised unless explicit approval exists.

Client responsibilities

The best outcomes happen when access, context, priorities, and constraints are shared clearly. Secure ways of exchanging credentials, samples, or production details should be agreed early rather than improvised later. Public trust pages stay intentionally high level; implementation detail beyond that should be covered during the engagement when it materially affects delivery or risk.