Security

Last updated: March 2026

1. Data Handling & Privacy

Your data is used solely to deliver the contracted project — nothing more.

  • We do not sell, share, or broker client data under any circumstances
  • Credentials, API keys, and sensitive configuration are never committed to version control — all secrets are managed via environment variable injection
  • Data shared during discovery or the engagement is retained only as long as necessary to complete the project
  • Confidentiality obligations are defined in our Terms of Service — we are happy to execute a separate NDA before any scoping conversation if preferred

2. Infrastructure & Access Controls

Client projects are deployed on reputable cloud platforms with independently audited infrastructure.

  • Hosting platforms (Vercel, AWS, GCP) provide SOC 2-compliant infrastructure — compliance at the platform layer is their responsibility; we select platforms that meet it
  • VARYN staff access to production systems is limited to the minimum required for the active engagement
  • Deployments use CI/CD pipelines with branch-based preview environments — no manual pushes to production without a reviewed pull request
  • All code repositories are private; access is revoked at project close
  • SSH keys and deploy tokens are rotated at engagement end

3. Incident Response

If a security incident affects a client project under active engagement, we commit to:

  • Notifying the client within 24 hours of discovery
  • Delivering a root cause summary within 5 business days of resolution
  • Working with the client to remediate and prevent recurrence before resuming normal development

For hosted projects under a support retainer, uptime and response time commitments are defined in our Service Level Agreement.

4. Our Approach

VARYN is a boutique engineering firm, not a Fortune 500 enterprise with a dedicated security team. We do not claim certifications we have not earned. What we offer is disciplined practice: careful credential handling, minimal attack surface, and a commitment to transparency when something goes wrong.

Our “one client at a time” model means your project receives our full attention. There is no shared-tenant risk from other engagements — when we are working with you, you are the only client we are working with.

Have questions about our security practices? We are happy to discuss — schedule a call and we can walk through anything that matters to your procurement process.

Schedule a Call