Security at Devmint.
How we protect client data, source code and operational systems. SOC 2-aligned controls, GDPR-aligned data handling, HIPAA-ready engagements.
1. Posture.
Devmint operates under SOC 2-aligned controls and is HIPAA-ready on request. We sign mutual NDAs, data-processing agreements, and HIPAA Business Associate Agreements where required. The team is GDPR-aligned for any data handling that touches EU or UK data subjects.
2. Access controls.
All Devmint engineers operate from least-privilege access. Production access requires hardware MFA. Client repository access is provisioned per-engagement and revoked on completion.
- Hardware MFA — YubiKey-only for all engineering and ops accounts.
- SSO — Google Workspace as the identity provider.
- Audit logs — every production access is logged and retained for 90 days.
3. Data handling.
Client production data never lives on Devmint infrastructure unless explicitly required by the engagement scope and authorised in writing. Source code lives in the client's repositories. Secrets are managed in the client's secret stores (Vault, AWS Secrets Manager, GCP Secret Manager).
4. Incident response.
Active engagements include 24/7 on-call coverage for Devmint-built systems. SEV-1 incidents are responded to within 15 minutes. Postmortems are written for every SEV-1 and SEV-2 and shared with the client within 5 business days.
5. Reporting a vulnerability.
If you have discovered a security issue affecting Devmint or any system we operate, please email security@devminttech.com. We acknowledge within one business day and respond with a remediation plan within five.