Security

We request the minimum access required to do the work, scoped to the specific systems involved, and we remove that access promptly when an engagement ends. Wherever a client supports it, we use named accounts, multi-factor authentication, and time-limited credentials.

We avoid moving production data unless it's necessary, and when we must, we prefer anonymized or sampled datasets. Client data is kept only as long as the work requires and is deleted on completion. We do not use client data to train models or for any purpose outside the engagement.

Our engagements are confidential by default. We sign NDAs as a matter of course and describe our work publicly only in anonymized, non-identifying terms. Our team is bound by confidentiality obligations that survive the end of an engagement.

We follow sound engineering practices in the software we build: dependency review, secrets kept out of source control, code review before release, and secure-by-default configuration. We document what we build so your team can operate and audit it after we hand it over.

If you believe you've found a security issue in something we operate or built, please contact us at info@foliotech.ca. We take every report seriously and will respond promptly.