Are your engineers vetted for security practices?

Our vetting process does not include a dedicated security screen unless the role specifically requires it. However, all engineers are briefed on secure coding basics, credential handling, and data hygiene before their first day.

Can we run our own security background check on candidates?

Yes. You can request a third-party security background check as part of your client review process. We will facilitate the authorization from the candidate.

What happens if there is a data incident involving one of your engineers?

We have an incident response protocol that requires immediate notification to the affected client, cooperation with investigation, and documentation of the incident. The specific terms are outlined in the engagement agreement.

Is EnzRossi itself SOC2 certified?

No. We are a talent and team management company, not a SaaS provider. SOC2 certification is designed for service organizations that store customer data in a cloud platform. We are aware of the SOC2 framework and apply its principles to our own infrastructure decisions.

How do you handle GDPR if we are a European company?

We process candidate and client data in accordance with LGPD (Brazil's data protection law) and apply equivalent standards to EU client data. We can enter into a Data Processing Agreement (DPA) with EU clients who require one.

Security & Compliance

Your Data, Protected.

Every engagement starts with an NDA and IP assignment clause. Here is exactly what we do to protect your business, your code, and your customers.

Talk to Our Team See SLA & Guarantees

Security commitments included in every engagement

NDA Signed Before Day One

Full IP Assignment

LGPD Compliant

Encrypted Data Storage

Least-Privilege Access

Security Practices

How we protect your business.

Five areas where we have built explicit policies and practices, and where you can hold us to account.

NDA Process

Every engineer placed through EnzRossi signs a comprehensive Non-Disclosure Agreement before their first day on your project. The NDA covers confidential information, trade secrets, client data, and all work product created during the engagement.

Executed before any access is granted to your systems or codebase
Covers confidential business information, technical IP, and client data
Enforceable under Brazilian law with international arbitration clauses
Reviewed by our legal team annually and updated as needed

IP Protection

All code and work product created by EnzRossi-placed engineers is the intellectual property of your company from the moment it is created. Our agreements include explicit IP assignment clauses that leave no ambiguity.

Work-for-hire provisions in all engagement agreements
Clear IP assignment language covering code, designs, and documentation
Engineers are prohibited from using client IP for personal projects or other clients
Applicable to both full-time and part-time engagement models

Data Handling

We handle candidate data and client information under strict data minimization principles. We collect only what we need, store it only as long as required, and delete it on request.

Candidate personal data stored in encrypted databases with access controls
Client business data (briefs, contracts) stored in SOC2-compliant infrastructure
Data retention policies: candidate data deleted after 2 years of inactivity
LGPD-compliant consent flows for all personal data we collect

Access Controls

Access to client systems is granted on a need-to-know basis and documented in the engagement agreement. We advise clients on access provisioning best practices and enforce least-privilege principles for our internal operations.

Engineers receive only the system access required for their specific role
All access grants are documented and reviewed monthly
Offboarding checklists ensure all access is revoked within 24 hours of engagement end
Multi-factor authentication required for all internal EnzRossi systems

Compliance Awareness

We operate in environments that touch GDPR, SOC2, and HIPAA-regulated data. We are not claiming certification in these frameworks. We are saying we understand their requirements and train our engineers accordingly.

Engineers working with EU clients receive GDPR awareness briefing
Healthcare clients receive HIPAA data handling training module
SOC2 control awareness included in onboarding for applicable client environments
We recommend clients work with their compliance team on access scope definitions

Compliance Awareness

We know the frameworks. We train accordingly.

We are not claiming GDPR, SOC2, or HIPAA certification. We are saying we understand these frameworks and train engineers for environments where they apply.

Awareness level, not certification

GDPR

General Data Protection Regulation. Governs how personal data of EU residents is collected, stored, and processed.

Our approach: Engineers placed with EU-facing clients receive a GDPR awareness module covering data minimization, consent, and subject access rights.

SOC2

Service Organization Control 2. A security standard for service companies that defines how customer data is managed.

Our approach: Our internal infrastructure uses SOC2-compliant cloud providers. Engineers are briefed on SOC2 control categories when working with clients who hold SOC2 certification.

HIPAA

Health Insurance Portability and Accountability Act. Governs the handling of protected health information in the US.

Our approach: Engineers placed with healthcare clients complete a HIPAA awareness training covering PHI definition, minimum necessary standards, and incident reporting obligations.

FAQ

Security questions, honest answers

Common concerns from US companies hiring international engineers.

Ready to start securely?

NDA signed before day one.

Every contract includes full IP assignment, NDA, and access control requirements. Your code stays yours.

Get Started See How It Works

Your Data, Protected.