How we handle your code and data.
Cardinal sells to buyers whose procurement includes a security and data-handling review. This page is the short version of how we treat your code, your data, and your business context, from first contact through handoff.
Confidentiality standard
Every engagement begins with a mutual NDA, countersigned the same day it is requested. Client code, data, business context, and communications are treated as confidential from first contact.
Data handling
Cardinal's proprietary Redactor tool sits between client applications and any external LLM call, swapping personally identifiable data for stable tokens before any external model processes it. PII does not leave the client's environment unredacted during any Cardinal engagement.
US-based delivery
All Cardinal engineering, project management, and communication is US-based. No offshore routing of client code or data.
Access controls
Client repository access is provisioned only to the named engineers on the engagement. Access is revoked at handoff. Cardinal does not retain copies of client code after engagement close.
Compliance posture
Cardinal has production delivery experience under HIPAA (BAA available on request), attorney-client privilege requirements, and SEC EDGAR-adjacent workflows. Compliance posture is configured during the build, not retrofitted.
BAA and DPA availability
Business Associate Agreements (HIPAA) and Data Processing Agreements (GDPR) are available on request for engagements requiring them.
Contact for security questions
Email hello@cardinalstacks.com. We respond in writing within 48 hours.
Questions before you send your code? Ask us first.
Or email hello@cardinalstacks.com. We respond in writing within 48 hours.