Security & Access Practices

Security & Access

Security & Access Practices

DuskByte operates on principles of least privilege, data minimization, and client-controlled environments. Access is scoped to what's required for assessment and advisory work—read-only by default, time-bound, and transparent.

Access Model (Default)

Read-only access where possible

Assessment work prioritizes read-only repository access, log visibility, and architectural documentation review.

Time-bound credentials

Access is scoped to engagement duration. Credentials expire automatically when work concludes.

Separate environments preferred

Non-production environments (staging, pre-prod) are preferred for assessment. Production access only when operationally necessary.

Client retains deployment authority

Deployment recommendations are delivered as guidance. Execution remains under client control unless explicitly delegated.

Data Handling

Data minimization — only what is necessary for assessment or advisory work

No production data export unless operationally required and explicitly approved

Redaction and sampling used where possible to preserve privacy

PII/PHI handling follows client protocols and regulatory requirements

Where handling of production data or sensitive information is required, DuskByte follows client-defined security protocols and regulatory compliance frameworks (GDPR, HIPAA, SOC 2, etc.).

Common Items We Request (Assessment)

The following access and documentation requests are standard for modernization assessments and advisory engagements:

Code Access

Read-only repository access (GitHub, GitLab, Bitbucket)
Access to architectural documentation and system diagrams
Infrastructure-as-code repositories (Terraform, CloudFormation)

Operational Visibility

CI/CD pipeline configuration (read-only)
Application logs and metrics dashboards (observability tools)
Monitoring and alerting configuration

Integration & Dependencies

API integration inventory and documentation
Third-party service dependencies
Database schema diagrams (anonymized where needed)

What We Do Not Require

Admin access without a specific reason

We do not request administrative privileges unless operationally justified for execution work.

Ownership of production keys or secrets

Production credentials remain under client control. Access is granted on a least-privilege, time-bound basis.

Direct production deployment rights

For assessment engagements, deployment authority is not required. For execution work, deployment is coordinated and client-approved.

NDA and Vendor Security Review

NDA Available

Mutual Non-Disclosure Agreements (NDAs) are signed as standard practice. All client data, architecture, and operational information is treated as confidential.

Procurement Pack Available

Vendor security questionnaires, compliance documentation, and procurement materials provided on request.

Request Procurement Guide →

Frequently Asked Questions

Do you sign NDAs?

Yes. Duskbyte signs mutual Non-Disclosure Agreements (NDAs) as part of standard engagement terms. We treat all client system information, architecture, and operational data as confidential by default.

Do you need production access?

For assessment work, production access is typically not required. Most assessments can be completed using staging environments, documentation, logs, and architectural review. If production access becomes necessary (e.g., performance profiling, incident investigation), it is requested explicitly and scoped to read-only where possible.

How do you handle PII/PHI?

Duskbyte follows data minimization principles. Where PII or PHI exists in systems under review, we work with redacted datasets, anonymized schemas, or sampled data. If handling sensitive data is operationally required, we follow client-defined protocols and applicable regulatory requirements (GDPR, HIPAA, etc.).

Can you work in regulated environments?

Yes. Duskbyte has experience working with teams operating in regulated industries including healthcare (HIPAA), financial services, and data-sensitive environments. We adapt our access and data handling practices to align with client compliance requirements and can participate in vendor security reviews as needed.