How we handle trust —
yours and your users'.
Our security practices, confidentiality commitments, and compliance posture.
01
Confidentiality
Mutual NDA as standard practice.
Every engagement begins with a mutual non-disclosure agreement. We will not disclose your product strategy, architectural decisions, internal research, or business performance to any third party. We do not use client work in our marketing without explicit written permission. Case studies published on our website use anonymized or composite descriptions unless clients explicitly approve named attribution.
We request the same confidentiality in return — specifically, that diagnostic findings and strategic recommendations are shared only with personnel who need them. We have seen valuable design strategy leak to competitors through inadvertent disclosure. We take this seriously.
02
Data Security
Our own security posture.
Work product is shared via encrypted channels only. We do not use unencrypted email for sensitive deliverables. We do not store client data on personal devices. Our internal tools are selected for security posture — we apply the same data minimization principles to our own operations that we recommend to clients.
For engagements requiring access to production environments, analytics dashboards, or user data, we work under formal data processing agreements and minimum-access principles. We request only the access required for the specific diagnostic task, and we document all access activity.
03
Regulatory Knowledge
We know the frameworks our clients operate under.
Our practice is built around the regulatory environment of Enterprise SaaS. We maintain current knowledge of EU Digital Services Act enforcement, FTC dark pattern guidance, GDPR Article 25 (privacy by design), CCPA and CPRA requirements, and sector-specific regulations including HIPAA/HITECH for health tech and relevant FINRA/SEC UX considerations for FinTech.
We are not lawyers. We do not provide legal advice. We provide design advisory informed by regulatory context, and we work alongside your legal team to ensure that design decisions are both excellent and compliant.
04
Scope of Engagement
What we commit to — and what we don't.
We commit to: rigorous diagnostic work, evidence-based strategic recommendations, complete transparency about our findings (including findings that challenge internal assumptions), and delivery of agreed outputs on agreed timelines.
We do not commit to: outcomes we cannot control (market performance, user adoption rates beyond our specific engagement scope), compliance certification (we are not a compliance firm), or engagement continuation if we encounter practices we consider unethical.