Confidentiality & data protection

We treat every engagement as confidential from first contact. A mutual non-disclosure agreement is signed as standard before sensitive material is exchanged, and we are comfortable working under a client's own NDA, security addendum, or data processing agreement.

We do not publish client names, logos, or project details without written permission. References to past work are kept anonymised unless a client has explicitly approved attribution.

Access to client systems and data is granted on a least-privilege, need-to-know basis and is scoped to the specific engineers assigned to the engagement.

• Per-client isolation: separate repositories, credentials, and environments.
• Multi-factor authentication on every account that can reach client systems.
• Secrets stored in encrypted secret managers — never in source code or plain files.
• Access is revoked promptly on engagement completion or role change.

Data is encrypted in transit using current TLS standards, and at rest using industry-standard encryption on the storage and secret-management layers we operate. Credentials and access tokens are held in dedicated secret stores with restricted access.

We request only the data necessary to deliver the agreed scope. Production datasets are not copied to local machines; where test data is required, we prefer anonymised or synthetic data.

• Client data is held only for the engagement plus an agreed retention window.
• On request, or at engagement close, working copies and credentials are securely destroyed.
• Backups follow the same access, encryption, and retention rules as primary data.

We keep our supplier chain deliberately small. Where we rely on infrastructure or service providers — for example cloud hosting, email delivery, or error monitoring — we use reputable vendors with their own recognised security programmes, and we will disclose the relevant sub-processors for your engagement on request.

Where a client requires it, we will deploy entirely within infrastructure that the client owns and controls, so that data never leaves their own environment.

Altnera is based in Tallinn, Eesti and operates in line with the EU General Data Protection Regulation (GDPR). Our engineering and handling practices are informed by recognised control families such as ISO/IEC 27001 and SOC 2. We are glad to complete security questionnaires and sign data processing agreements as part of onboarding.

If we become aware of a security incident affecting client data, we notify the affected client without undue delay, share what we know, and work with them on containment and remediation. Notification timelines can be fixed contractually to meet your regulatory obligations.

For security reviews, NDAs, data processing agreements, or sub-processor disclosures, write to hello@altnera.com and we will route your request to the engineer responsible for security.