Security & Trust

Every engagement runs in an isolated environment created for that engagement and that engagement only. No client work shares infrastructure with another client. Environments are spun up at kickoff, sandboxed for the duration, and torn down on delivery.

For technical modernization work, source code is cloned into the engagement environment. Our agentic engine reads and refactors the code there and delivers results as pull requests against your repositories.

For operational modernization work, the bespoke AI systems we build are designed to run inside your infrastructure whenever possible, with credentials and access governed by your existing controls. Where systems need to run alongside ours, we scope and document the boundary in the SOW.

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Our agentic engine logs every action it takes during an engagement: every file read, every command run, every external call. Logs are scoped to the engagement and available to you on request for the duration of the work.

For AI systems we deliver into production, the same audit discipline carries forward. The agents we ship come with structured logs of every decision made and every system they touched, so your team always has the trail it needs for review or remediation.

Where an engagement requires API keys, integration tokens, or service-account credentials, we use the credential vaults you already trust. We do not store production credentials outside the engagement environment.

Access is scoped to the people working on your engagement, granted by named individual, and revoked at delivery. We prefer time-bound credentials and least-privilege scopes for everything we touch.

Source code and operational data: Held in the engagement environment for processing. Not persisted after the engagement completes.

Analysis artifacts: Architectural diagrams, domain maps, technical reports. Shared with you on delivery. Retained on our side only for the duration of the engagement, unless a longer retention period is specified in the SOW.

Deliverables: Pull requests, generated code, and bespoke AI systems are delivered into your repositories and infrastructure. We do not retain copies after delivery.

Engine audit logs: Engagement-scoped logs are available to you on request and archived per the SOW. We hand over a copy on delivery if requested.

Engagement records: Contracts, communications, and billing information are retained per Canadian record-keeping requirements.

We don't yet hold a formal ISMS certification. Security controls are defined and agreed per-engagement in the SOW. Our compliance posture matures with engagement scope.

CodeSplit AI Inc. is incorporated in Ontario, Canada, and operates under Canadian privacy law (PIPEDA).

If your organization has specific security, privacy, or compliance requirements (SOC 2 letters of assurance, DPA, data residency, security questionnaires), we're happy to work through them. Reach out to our team.