How we handle your stuff.
We sell sovereignty as a product. That promise is empty if our operational practices undermine it. This page is what we do, in writing, before we touch your environment.
Six rules.
Least privilege, scoped credentials
We do not accept, request, or operate with credentials broader than the engagement requires. Where possible we operate as named human IAM principals against your identity provider, so every action is attributable in your audit log. Service accounts for tooling are scoped per-environment, time-bound, and rotated on engagement close.
Your data stays in your VPC
Production traffic samples, evaluation datasets, traces, and model weights remain in your environment. Where we need a local copy to debug or run a benchmark, it is taken with explicit consent, kept on a disk-encrypted developer machine, and deleted on engagement close. We do not train, fine-tune, or commercialise on any client data, ever.
No third-party AI on your data
We do not paste client logs, prompts, traces, or weights into hosted LLM tools (ChatGPT, Claude, Copilot, Cursor against client repos). When we use AI tooling internally, it is on isolated synthetic data only, with explicit team policy.
Auditability over speed
Every change we ship to a production environment goes through your normal change-management path: PRs reviewed by your engineers, runbooks reviewed before incident drills, deployments through your existing CI/CD. We do not hot-patch production from our laptops.
Eval parity before performance
We do not cut over real traffic until the new stack passes the eval suite within the tolerance you signed off on, and we keep the hosted baseline warm for 30 days post-cutover as a safety net.
Clean exit
On engagement close we revoke our access, hand over credentials we generated, deliver runbooks and architecture documentation, and publish the post-engagement report. Your team can disable our last access on day one of the handover; the runbooks alone should be enough to operate the system.
The other half of trust.
We do not train on client data
No client prompts, completions, weights, datasets, or logs are used to train, fine-tune, or evaluate any model outside the engagement.
We do not retain credentials
On engagement close, every credential we touched is rotated by the client. Service accounts we generated are handed back or deleted.
We do not run client traffic through third parties
No proxy, no aggregator, no hosted LLM tool sees your inference traffic.
We do not subcontract
Both founders run every engagement, an inference-and-infra lead and an ML research counterpart. No offshore delivery, no white-label resellers, no junior staffing.
We do not white-label your case study without consent
Anything we publish about an engagement is anonymised by default and explicitly approved before posting.
Where keys live during an engagement.
- Discovery: we sign your NDA. We are granted read-only access to your inference logs, traffic samples, and architecture docs, usually via a temporary, named IAM role in your account, not a service account.
- Scoping: we agree on the access matrix in writing as part of the engagement contract. Nothing wider than the contract permits.
- Build: any service accounts we provision are scoped per-environment, named with a prefix you choose (e.g. fp-migration-*), and time-bound to the engagement window.
- Cutover: production credentials we use during cutover are issued by you with short TTLs. We never store long-lived production keys in our tooling, vaults, or shell history.
- Handover: on engagement close we hand back the runbooks, your team rotates everything we touched, and our access is revoked at the IdP layer. We confirm in writing that no fastpriors-side copies remain.
Who else touches what we touch.
| Vendor | Purpose | Data shared | Region |
|---|---|---|---|
| Linear | Issue tracking, engagement scope and milestones | Project metadata only (no client production data) | US |
| 1Password | Credential vault for client-issued service accounts | Encrypted secrets | US/EU |
| Resend | Email delivery for fastpriors.com inquiries | Inquiry form contents | US |
| PostHog | Site analytics for fastpriors.com | Page views and anonymised event metadata; no client production data | US |
We will notify clients of material changes to this list at least 30 days before they take effect. The current list is also part of our standard DPA.
Found something?
If you believe you've found a vulnerability in our site or any code we've published, get in touch with subject “security”.
- acknowledgementwithin one working day, from a real engineer.
- resolutionwe work the issue with you and credit reporters who request it.
- bountyno paid bounty yet, but we will not pursue good-faith research.
Need a security review before we talk?
Tell us what your procurement team needs. We'll send it.
Talk to Us →