50% off - July See services
Gabe Giro

Security & Trust

How I handle your code, data, and access

I am one senior engineer, not an audited enterprise, so I will not wave certification badges I do not hold. Here is the honest version: the practices I actually follow on every engagement.

Contracts & IP

We work under a signed contract

  • Every engagement starts with a written agreement before any work begins. No handshake-only builds.
  • I sign an NDA on request, and I am happy to work under yours or provide a simple one.
  • Your code and your IP stay yours. What I build on your dime belongs to you, assigned in the contract.

Access

Least-privilege, time-boxed access

  • I ask for the narrowest access that lets me do the job, and read-only wherever the work allows it.
  • For integrations I prefer read-only OAuth scopes over full-account credentials.
  • Repo and environment grants are time-boxed to the engagement and revoked when we wrap up.

Secrets

Secrets hygiene

  • Credentials never get committed to a repo, and they never get pasted into a chat or ticket.
  • Secrets live in a private store or environment variables, kept out of source control.
  • 2FA is on for the accounts I use, and my work machines run full-disk encryption.

Development

Secure development

  • Reviewing dependencies and the security surface is a standard part of my code-review service, not an upsell.
  • I do not push your data through unmanaged third-party services without your consent.
  • When I build with agentic tooling like Claude Code, the same access and secrets rules apply to it as to me.

Data

Data handling

  • I collect the minimum data needed to do the work, and nothing "just in case".
  • Client data is not retained beyond the engagement unless we agree to it in writing.
  • I am based in Europe (Zagreb, Croatia) and work with GDPR expectations in mind.

Disclosure

Responsible disclosure

  • If you spot a security concern in something I built or maintain, tell me and I will act on it quickly.
  • Reach me through the contact page and flag it as security so it gets priority.
  • No blame for good-faith reports. The goal is to fix the issue, not to find fault.

What I do not claim

You will not find SOC2, ISO 27001, HIPAA, or pen-test certification badges on this page, because I do not hold them and I will not pretend otherwise. If your project genuinely requires a formal certified process, I will tell you straight and help you find the right setup rather than overstate what a solo contractor can offer. For most builds, the practices above are what actually protects your work.

Security questions

Are you SOC2 or ISO certified?

No. I am a solo senior engineer, not an audited organization, so I will not claim certifications I do not hold. What I offer instead is a clear, honest set of practices around contracts, access, secrets, and data, and I am happy to walk through any of them on a call.

Will you sign my NDA?

Yes. I sign a client NDA on request and can also provide a simple mutual one if you prefer. Work only starts once the agreement and NDA are in place.

What happens to your access when the engagement ends?

Repo, environment, and integration access is time-boxed to the work and revoked when we wrap up. Client data is not kept beyond the engagement unless we have agreed to it in writing.

How should I report a security concern?

Use the contact page and mark the message as security so it gets priority. I treat good-faith reports without blame and act on them quickly.

Have a security question before we start?

Book a call. Ask me anything about access, secrets, or how your data gets handled, and I will give you the honest answer.