Trust
Earning trust starts with protecting data
Code & Co. advises the world's leading investors on AI, technology, and product due diligence. Our clients trust us with important information about their portfolios, their deals, and their strategy.
Security is an essential part of how we earn that trust, and something we build into our systems from day one.
This page sets out how we protect client and company information, across our consulting work, our internal products, and the partners we rely on.
EU Data Residency
We store and process all client data on servers inside the European Union.
No Model Training
We never use client data to train AI models. Only the project team working on your engagement has access to it.
Encryption
We encrypt data in transit using TLS and WireGuard, and we store it on encrypted disks.
Our Information Security Program
Behind these principles sits a documented Information Security Management System (ISMS). It governs how Code & Co. handles all client and company information, across our consulting work, our internal products, and the third-party services that support them.
The ISMS protects the confidentiality, integrity, and availability of every information asset we hold. It applies to all employees, contractors, and vendors, across the physical, digital, and cloud-based environments we work in.
Information security is owned at the top of the company. Our Managing Partners hold ultimate accountability for the ISMS. Our CTO acts as Chief Information Security Officer and is responsible for the day-to-day design, operation, and improvement of security controls.
Our framework
The ISMS is built on a framework of fifteen policy areas. We review each one at least once a year, and detailed operational procedures sit underneath them.
Risk Management. We identify risks to our information assets, score them on likelihood and impact, and treat them through a formal cycle of mitigation, acceptance, transfer, or avoidance.
Compliance. We comply with the legal, regulatory, and contractual requirements that apply to us, including GDPR. Internal and external audits, plus regular management reviews, keep the ISMS under scrutiny.
Asset Management. Every information asset is identified, classified by sensitivity, and tracked through its full lifecycle, from creation to secure disposal.
Access Management. We grant access on the principle of least privilege. Single sign-on and multi-factor authentication are enforced on every account that handles confidential or internal data, and we review access at least once a year.
Incident Management. We have a documented incident response process that covers detection, classification, containment, resolution, and post-incident review. Suspected incidents can be reported to security@codeandco.com.
Business Continuity. Our Business Continuity and Disaster Recovery plans keep critical functions running through disruption. We test them at least once a year.
Backup Management. We back up critical data, systems, and configurations on a regular schedule. Backups are encrypted, stored securely, and tested at least once a year to confirm they can be restored.
Logging & Monitoring. Critical systems write protected security logs. Automated monitoring flags anomalies and suspicious activity. We review and retain logs in line with business and regulatory requirements.
Patch & Vulnerability Management. We use continuous scanning to surface vulnerabilities, and remediate them against defined SLAs based on severity.
Personnel Security. Every employee and contractor goes through a standard onboarding and offboarding process, signs a confidentiality agreement, and completes mandatory security awareness training each year. Background screening is part of onboarding where appropriate.
Vendor Management. Every vendor with access to our data is risk-assessed when we onboard them, and reassessed on an ongoing basis. Contracts include explicit security and incident-reporting obligations.
Physical Security. We're a fully remote company with no shared office or on-premise infrastructure. Our physical controls focus on home-working environments and on protecting company-issued laptops and devices.
Device Management. All company devices are centrally managed, with full-disk encryption, endpoint detection and response, automatic operating-system updates, screen-lock policies, and remote-wipe capability. Staff with ongoing access to confidential data are not allowed to use personal devices for work.
Secure Software Development. Security is built into every stage of our development process. That covers separated development and production environments, automated static analysis, dependency scanning, and mandatory human code review before anything is merged.
Network Security & Cryptography. Production network traffic runs over an encrypted private mesh (WireGuard). Public traffic is terminated over TLS 1.2 or higher. Confidential data is encrypted at rest and in transit.
Continuous improvement
The ISMS runs on the Plan-Do-Check-Act (PDCA) cycle. We set risks and objectives, put controls in place, measure how well they work through audits and management reviews, and feed improvements back into the next cycle.
Requesting the full policy
This page is a high-level summary of our Information Security Policy. The full policy, along with any of the supporting policies it references, is available to clients, suppliers, and other interested parties on request.
→ Contact us at security@codeandco.com.
Get In Touch
Get in touch to learn more about our track record, experience, and due diligence services.