How does Code and Trust protect client data?

Code and Trust implements defense-in-depth security across all client projects and our own infrastructure. Data is encrypted at rest and in transit, access is role-gated by team function, and we conduct quarterly security reviews. All team members complete annual security awareness training.

What is the security incident response time at Code and Trust?

Code and Trust maintains a 24-hour response SLA for security incidents affecting client systems. Critical vulnerabilities in production systems receive immediate (sub-4-hour) escalation.

How does Code and Trust handle client data isolation?

All client projects receive isolated infrastructure — separate databases, separate environment variables, and separate deployment pipelines. No client data is co-mingled with another client's data. Enterprise clients sign an NDA by default before any discovery conversation.

Security

Compliance & Regulatory Standards

Q: Is Code and Trust SOC 2 certified?

Code and Trust follows SOC 2 Type II practices including access controls, encryption, change management, and incident response — but has not completed a formal SOC 2 audit. Enterprise clients requiring formal certification are welcome to conduct their own security due diligence.

HIPAA, GDPR, PCI DSS, SOC 2-aligned, Section 508 — built into the architecture from day one.

What compliance standards does Code and Trust support?

Code and Trust builds software compliant with HIPAA (healthcare data), GDPR (EU personal data), PCI DSS (payment card data), Section 508 (US government accessibility), and follows SOC 2 Type II practices for its own systems. Compliance is designed into the data model and access controls from the beginning of every engagement — not retrofitted after launch.

How does Code and Trust build HIPAA-compliant software?

HIPAA compliance requires technical safeguards: encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls with audit logs, automatic session timeouts, and Business Associate Agreements (BAAs) with all vendors handling PHI. Code and Trust has built HIPAA-compliant systems for 4 healthcare organizations, including patient intake, clinical documentation, and provider scheduling applications.

HIPAA Technical Safeguards We Implement

—
BAA signed with all PHI-handling vendors (AWS, Neon, Vercel) before any PHI touches their infrastructure.
—
PHI encrypted at field level where required — not just at the database level.
—
Access logs retained 6 years as required by HIPAA — logs are append-only and tamper-evident.
—
No PHI in application logs, error messages, or analytics pipelines.
—
Data isolation per-practice: no shared data stores between separate covered entity engagements.
—
Automatic session timeout (15 minutes of inactivity) on any interface that displays PHI.

What does GDPR compliance look like in practice?

GDPR compliance requires lawful basis for data collection, data subject rights (access, erasure, portability), privacy notices at point of collection, DPA agreements with processors, and breach notification within 72 hours. Code and Trust builds data subject request workflows, consent management, and retention schedule enforcement directly into the application architecture.

GDPR Implementation Checklist

—
Consent management UI — granular opt-in/opt-out with timestamped consent records.
—
Data export in machine-readable format (JSON/CSV) for portability requests.
—
Deletion cascade scripts — a verified right-to-erasure workflow that traverses all tables.
—
Privacy notice linked at every data collection point (forms, onboarding, account creation).
—
DPA agreements in place with all data processors before any personal data flows through them.
—
Breach notification runbook documented — internal response starts within 24 hours, DPA notification within 72.

How does Code and Trust handle payment card data?

Code and Trust never stores raw card data. All payment flows use Stripe's tokenization — card numbers never touch our servers. This approach satisfies PCI DSS SAQ A (the simplest compliance tier) without requiring a full PCI audit. For clients requiring higher PCI tiers due to custom payment processing, we design systems that minimize scope by pushing card capture to a certified payment processor.

What is Section 508 and does Code and Trust build for it?

Section 508 requires US federal agencies and federally-funded programs to make electronic information accessible to people with disabilities. Code and Trust has built Section 508-compliant interfaces for 3 government agency clients. This includes keyboard navigation, screen reader compatibility (ARIA labels), sufficient color contrast (WCAG 2.1 AA minimum), and text alternatives for all non-text content.

Section 508 / WCAG 2.1 AA Requirements We Meet

—
Full keyboard navigation — every interactive element reachable and operable without a mouse.
—
ARIA landmarks, roles, and labels on all components — validated with screen reader testing.
—
Color contrast ratio ≥ 4.5:1 for normal text, ≥ 3:1 for large text (WCAG 2.1 AA).
—
Text alternatives (alt text) for all non-decorative images, icons, and media.
—
Focus indicators visible on all interactive elements — no removed or invisible focus rings.
—
Error messages associated programmatically with their form fields — not just visually adjacent.

Is Code and Trust SOC 2 certified?

Code and Trust follows SOC 2 Type II practices — access controls, encryption, change management, incident response, and availability monitoring — but has not completed a formal SOC 2 audit. Enterprise clients requiring formal certification can conduct their own security due diligence. We provide full documentation of our practices on request.

For more detail on our security practices, view the full Security page, including infrastructure security, incident response SLAs, and how to report a vulnerability.

Have specific compliance requirements?

Tell us your regulatory environment. We'll walk you through how we've handled it before and what we'd do differently for your stack.

Discuss Your Compliance Requirements →View Security Practices