Security

Last updated: January 29, 2026

Our approach

StudioAsCode operates from Vienna, Austria, under EU/GDPR jurisdiction. During client engagements we handle infrastructure and operational data with the same discipline we apply to security architecture: least privilege, controlled execution, and auditability by design.

AI-assisted delivery

We use agentic AI to accelerate delivery across infrastructure engineering and security operations, including code generation, configuration analysis, policy implementation, documentation, and workflow automation.

These autonomous agents can iterate on solutions, execute repeatable tasks, and support operations (CI/CD actions, validations, remediation workflows) under strict controls.

All AI workflows executed through our tooling are governed by Titan, our compliance and governance layer:

  • Policy enforcement - Titan applies preflight classification and policy checks before execution
  • Output validation - Titan validates outputs for secrets, PII, and sensitive references to reduce the risk of data exposure
  • Cloud AI governance - When cloud AI services are used, Titan minimizes what is sent and records governed activity
  • Audit trail - Titan generates cryptographically verifiable evidence (hash-chained records) showing governance checks were executed

Titan does not rely on trust. It produces verifiable evidence that controls were applied and outputs were validated before delivery.

We do not claim that governance controls eliminate all risk or prevent disclosure outside governed workflows (for example, manual copy/paste into third-party tools).

What data we handle

During a typical engagement, we may work with:

  • System configurations - platform settings, tenant configuration, service integrations
  • Automation workflows - scripts, orchestration logic, pipelines, runbooks
  • Account and identity setups - IAM, SSO, provisioning, directory integrations
  • DNS and email configurations - domain records, routing, deliverability settings

We do not require or request:

  • Production database exports
  • Customer PII/PHI datasets
  • Credentials shared via chat or email (secure channels and secrets managers are used instead)

Credential handling

When access to customer environments is required (cloud accounts, identity providers, repositories, servers):

  • Temporary access - credentials are used only for the duration of the engagement and removed after completion. Access is scoped to least privilege roles where possible
  • Rotation required - customers should rotate credentials after engagement ends
  • Ongoing support - for continuous support agreements, credentials are stored only in encrypted systems (password managers with RBAC, or platform-native secrets management)

How we protect your data

Workspace isolation

Each client engagement operates in an isolated workspace. Project files, configurations, and documentation are never mixed across clients.

Secure storage

Sensitive artifacts are stored in encrypted systems with access controls. Raw customer content is not retained longer than necessary to deliver the engagement.

Access controls

Access to customer environments and engagement artifacts is restricted to authorized personnel only. Sensitive directories containing credentials and private keys are protected by default.

Data retention

Engagement artifacts are retained only as long as necessary. Upon request, customer data can be deleted, subject to contractual and legal retention requirements.

GDPR compliance

As an Austria-based consultancy, we operate under EU data protection regulations:

  • Data minimization (GDPR Article 5(1)(c)) - we collect and retain only what is required for delivery
  • Data protection by design (GDPR Article 25) - security controls are built into our workflows, including classification gates and governed execution
  • Accountability - audit logs store hashes and structured evidence rather than raw customer content
  • Right to erasure - engagement artifacts can be deleted upon request, subject to contractual and legal retention requirements
  • Data processing agreements - available upon request for enterprise engagements

Client-specific requirements

Security controls can be adapted based on client requirements, including:

  • Stricter blocked-resource patterns for regulated environments
  • Framework-aligned validation (GDPR, SOC 2, ISO 27001, HIPAA-adjacent)
  • Per-engagement policy overlays and enforcement rules
  • Evidence packages formatted for audit and vendor review

What we do not claim

We believe in clear, accurate security statements:

  • Compliance guarantees - we implement controls and provide evidence, but do not provide legal certification
  • Zero risk - we reduce exposure through controlled workflows and validation, but no system is risk-free

Contact

To report a security concern, request details on our data handling practices, or discuss enterprise requirements (including DPAs and custom controls):

Contact Us

Response time: 48 hours