Will this affect how my platform works?

No, our security audit is non-invasive and does not affect your platform's functionality.

Will this affect my database(s) and existing data?

No, we only review your codebase and do not access or modify your databases or data.

Do I have to do the job?

No, you can choose to implement the recommendations yourself or hire us to do it for you.

Will you use AI or will it be real experienced professionals doing the job?

Real person with 15+ years of experience in web and internet security conducts the audit.

Can you copy my code or logic?

No, all code reviews are conducted under NDA with strict intellectual property protection protocols.

Security & Confidentiality Statement

Last updated: February 7, 2026

1. Our Commitment

At AuditCode, we understand that your source code and technical infrastructure represent your most valuable intellectual property. We are committed to maintaining the highest standards of security and confidentiality in handling your sensitive information.

2. Confidentiality Principles

All client information is treated as strictly confidential:

Source code and technical documentation
Business logic and proprietary algorithms
Infrastructure configurations
Security vulnerabilities discovered
Project scope and business relationships
Financial information and pricing

3. Non-Disclosure Agreement (NDA)

3.1 Standard NDA

All engagements include a mutual NDA as standard. This legally binding agreement ensures:

No disclosure of confidential information to third parties
Use of information solely for audit purposes
Return or destruction of materials after project completion
Protection extending beyond engagement termination

3.2 Custom NDAs

We are happy to sign your organization's NDA template if preferred. We review and typically accept reasonable confidentiality terms.

4. Technical Security Measures

4.1 Secure Code Access

Read-only access: We request minimum necessary permissions
Dedicated repositories: Isolated access per project
SSH keys: Encrypted authentication, no password sharing
2FA/MFA: Multi-factor authentication on all accounts
IP whitelisting: Restricted access from approved locations

4.2 Data Storage

Encryption at rest: AES-256 encryption for all stored code
Encryption in transit: TLS 1.3 for all data transfers
Secure workstations: Encrypted drives, security software
No cloud storage: Code kept on dedicated secure systems only
Offline backups: Encrypted, physically secured locations

4.3 Communication Security

Encrypted email: S/MIME or PGP for sensitive communications
Secure file sharing: Encrypted transfer protocols only
VPN access: When connecting to client systems
No public networks: Audit work only on secured networks

5. Team Access Controls

5.1 Need-to-Know Basis

Only team members directly involved in your audit have access to your code and information.

5.2 Background Checks

All team members undergo thorough background verification and sign individual confidentiality agreements.

5.3 Access Logging

All access to client code and systems is logged and auditable. Access is immediately revoked upon project completion.

6. Data Retention and Destruction

6.1 Source Code

Default policy: All source code and technical materials are securely deleted within 90 days of project completion.

Alternative arrangements can be made if you prefer immediate deletion or extended retention.

6.2 Audit Reports

Retention: Final audit reports are retained for 7 years for professional compliance and potential follow-up audits.

Reports are stored encrypted and access-controlled.

6.3 Secure Deletion

Data destruction follows industry standards:

Multi-pass overwriting of storage media
Cryptographic erasure of encrypted volumes
Physical destruction of retired hardware
Certificate of destruction available upon request

7. Vulnerability Disclosure

7.1 Responsible Disclosure

Security vulnerabilities discovered during audits are:

Reported only to you and your designated contacts
Never disclosed to third parties or publicly
Kept confidential indefinitely
Used only for your specific audit

7.2 Critical Vulnerabilities

For critical security issues, we provide immediate notification via secure channels and work with you on remediation timelines.

8. Compliance and Certifications

Our security practices align with:

UK GDPR requirements
ISO 27001 information security standards
SOC 2 trust principles
OWASP secure coding guidelines
NCSC (National Cyber Security Centre) guidance

9. Incident Response

In the unlikely event of a security incident:

Immediate notification to affected clients
Full investigation and root cause analysis
Detailed incident report provided
Remediation and prevention measures implemented
Regular security audits of our own systems

10. Professional Insurance

We maintain professional indemnity and cyber liability insurance to protect both our clients and our business.

11. Questions and Verification

We welcome questions about our security practices and are happy to:

Provide detailed security questionnaire responses
Participate in vendor security assessments
Discuss specific security requirements for your project
Provide references from previous clients

12. Contact

For security or confidentiality questions:

Email: contact@auditcode.co.uk
Website: auditcode.co.uk

← Back to Home