Trust Center
Trust is an engineering discipline.
How we approach security, availability, and data protection — stated plainly, without badges we haven't earned.
Security by architecture
Least-privilege access, encrypted transit and rest, secrets in managed vaults, and dependency policies enforced in CI. Security controls live in the request path, not in a PDF.
Availability, published
Client platforms carry contractual SLAs with published error budgets. Incidents get a public post-mortem within five business days — cause, impact, and the fix that shipped.
Data protection
Data residency honored per jurisdiction, retention limited to stated purpose, and subject-access requests answered within 30 days. We collect the minimum and can prove it.
Honest posture
No compliance badges we haven't earned, no fabricated uptime numbers. Certification programs in progress are listed as exactly that.
Practices
Access control
SSO + hardware-key MFA internally; role-scoped, time-bound production access with full audit trail
Encryption
TLS 1.3 in transit; AES-256 at rest; customer-managed keys supported on enterprise engagements
Development
Signed commits, mandatory review, CI gates for tests, types, and dependency audit on every merge
Incident response
24×7 on-call, rehearsed runbooks, client notification within contractual windows
Business continuity
Tested backups, documented RPO/RTO per system, annual disaster-recovery drills
Vendor management
Subprocessors reviewed annually and listed in engagement DPAs
Security questionnaires, DPAs, and subprocessor lists are available under NDA — write to security@algoryq.tech.

