NDA framework
Mutual NDA executed before any technical discussion. We sign your standard NDA or provide ours on request — either path turns around the same business day. Inbound inquiries via the homepage form are treated as confidential by default, no NDA required, no follow-up sequence.
Data handling & GDPR
A Data Processing Addendum is executed with every engagement that touches personal data. Codepool is the data processor; you remain the controller. Codepool processes data inside the EU by default; non-EU regions are used only on your written request.
- Primary region: AWS eu-central-1 (Frankfurt) for managed deployments. We can deploy into your AWS / GCP / Azure tenancy on request — default position is your cloud, your account, your IAM.
- Cross-border transfers: Standard Contractual Clauses (EU 2021/914) where required. We do not transfer customer data outside the regions named in the engagement DPA.
- Right to erasure / portability: Honoured within 30 days of written request, faster if commercially material. Documented in the DPA.
Access controls
Single team per engagement. Same seven seniors who appear on the homepage are the same seven who hold access to your environment — no rotating staff, no shared personnel across competing clients.
- SSO + hardware-key MFA on every sub-processor that supports it.
- Least-privilege access by default. Engineers are granted access at the start of an engagement and revoked within five business days of handoff.
- Production credentials never leave your tenancy. We work with your secrets manager (AWS Secrets Manager, GCP Secret Manager, Vault) — never plaintext secrets in a shared channel.
- Personal devices are corporate-imaged, full-disk-encrypted, and remotely wipeable. Engineers do not store client code on personal accounts.
Sub-processors
The full list of services we use to operate Codepool itself. We do not pass client data through these services without explicit need (e.g. AWS only for client deployments we manage; Slack only with explicit channel scope). Any change to this list is published here before it goes into effect.
| Service | Purpose | Region |
|---|---|---|
| Google Workspace | Email, calendar, document storage | EU / US |
| Slack | Internal + client communication | US |
| GitHub | Source code hosting | US |
| Amazon Web Services | Infrastructure for managed deployments | EU (eu-central-1 by default) |
| Cloudflare | CDN, DDoS protection, DNS | Global edge |
| ScrumGlide | Codepool's own delivery platform — backlog, planning, code review | EU |
| Vercel | Static and edge hosting (when applicable) | Global edge |
| Hetzner | Dedicated server and managed hosting (when applicable) | EU (Germany / Finland) |
Posture roadmap
Honest disclosure: Codepool is not SOC 2 or ISO 27001 certified today. The combination of seven-person team size, EU jurisdiction, and a partnership legal entity has so far kept formal certification out of scope. The roadmap below names where we are, where we are going, and the realistic timelines.
| Posture | Status | Detail |
|---|---|---|
| NDA framework | In place | Mutual NDA on file before any technical discussion. We sign the buyer's standard NDA or provide ours; turnaround is the same business day. |
| GDPR & data processing addendum | In place | DPA executed with every engagement that touches personal data. EU-based primary infrastructure by default; non-EU regions on written request only. |
| Background-checked engineers, single-team isolation | In place | All seven engineers cleared on identity and right-to-work. One team per engagement; no shared personnel across competing clients. |
| Documented access-control posture | In progress | Formal least-privilege policy with documented quarterly reviews. Hardware key + SSO across all sub-processors today; written policy publication target Q3 2026. |
| SOC 2 Type I | Planned | SOC 2 Type I report by Q4 2026. Honest disclosure: we don't claim SOC 2 today. We're naming the path because pretending otherwise is exactly the gap this page exists to close. |
| ISO 27001 | Planned | ISO 27001 audit window Q2–Q3 2027. Pursued after SOC 2 Type I as the EU-procurement-friendly companion certification. |
Reporting a security concern
If you believe you have found a vulnerability in something Codepool runs or delivered, email info@codepool.io with “Security disclosure” in the subject line. We acknowledge inbound security reports within one business day and triage with your timeline in mind.