A direct answer to the security questionnaire you'd send a small studio. Written for engineering leaders doing vendor due diligence.
All work product is yours — code, models, data, documentation, infrastructure-as-code. Our master services agreement transfers full IP to you under work-for-hire terms from the moment the work is paid for. We don't license anything back to you; we don't include hidden 'platform fees'.
In your repositories on your accounts (GitHub, GitLab, Bitbucket — your choice). We work as collaborators on your infrastructure rather than moving code into ours. If you'd rather we set up a sandbox first, we can do that and migrate later.
We follow your team's existing pattern. Typical setup: scoped service accounts or short-lived OIDC credentials for cloud access, secrets in your existing vault (1Password, AWS Secrets Manager, HashiCorp Vault, Doppler), no production secrets on developer machines. We rotate any shared credentials at the end of the engagement.
We work with the minimum data necessary. For production data — including PII, PHI, or anything regulated — we either work with sanitised/synthetic datasets, or we work in your environment with your access controls. We don't copy production data to developer laptops without explicit, written agreement and a defined deletion plan.
Access is granted to specific named individuals on our team and is documented in the project log. On engagement end, we run a written offboarding checklist with you: revoke our accounts, rotate any shared secrets, hand over runbooks, confirm no copies of your data remain on our side, and sign off.
We sign your NDA before the discovery call if your work requires it. Our standard MSA covers IP, confidentiality, indemnification, limitation of liability and the right to audit. Happy to redline if you have your own paper. For regulated workloads (HIPAA, PCI-DSS, SOC 2 controls), we work to your documented requirements.
If we discover or suspect a security incident affecting your data, we notify your primary contact within 24 hours, preserve relevant logs and evidence, and work with you on remediation. We don't disclose incidents publicly without your consent (subject to legal requirements).
Subprocessors
For client engagements, we use your subprocessors — not ours. The list below covers anssol.com itself.
| Hosting | Your chosen platform (we typically deploy to Vercel, Cloudflare, or your AWS/GCP/Azure account) |
| Resend — transactional emails from this Site only | |
| Bot protection | Google reCAPTCHA v3 — contact form spam protection on anssol.com |
| Admin & analytics | Google Firebase (Firestore + Auth) — contact submissions and aggregate page view counts |
| Code review / collaboration | Standard developer tooling (GitHub, Linear, Slack, Loom) — we use your tenant where one exists |
Reporting a security issue
If you've found a security issue in something we've built or in anssol.com itself, please email hello@anssol.com with the details. We'll acknowledge within one business day and work with you on a fix.
Please give us a reasonable window to fix the issue before disclosing it publicly. We won't take legal action against good-faith security researchers acting under standard responsible-disclosure norms.
Need more detail for a vendor assessment? Tell us what you need — we'll send you the answers your security team is looking for, in whatever format helps.
If your due diligence list is satisfied, the next step is a 30-minute discovery call. We respond within one business day.
Start a ConversationTell us about your project. We respond within one business day with honest scoping — not a sales pitch.
Get Started