Book a discovery call → (opens in new tab)

Search the site
AN
Brief me

Devlyn AI · Trust

What IT CXOs need to see before signing.

Compliance posture, IP ownership, security practices, and a sample MSA. Updated quarterly. Last reviewed May 2026.

Compliance posture

Devlyn AI runs the same compliance ladder as any vendor selling into the $5M to $500M IT segment. Where a framework is in progress, the target date and current state are shown.

SOC 2 Type II

In progress

Audit window Q3 2026, report Q4 2026.

Auditor engaged. Controls documented. Penetration test scheduled.

GDPR

Compliant

DPA available on request.

Standard contractual clauses, EU representative, named DPO. Data subject requests resolved within 30 days.

Data residency

Configurable

EU-only or US-only on enterprise tier.

Default region: US. EU residency provisioned per engagement on Cloudflare R2 + Workers regions.

ISO 27001

Planned

2027 H1 — once SOC 2 stabilises.

Mapped against SOC 2 Common Criteria. Gap analysis complete.

HIPAA

Available

BAA on healthtech engagements.

Encryption at rest + in transit, audit logging, access controls per HHS guidance. Reference customers available.

PCI DSS

Out of scope

We do not process or store cardholder data.

Engagements involving payment systems use client's own PCI-scoped infrastructure. We integrate, we don't store.

IP ownership + contract terms

Ownership

All work product, code, and derivative IP assigned to client on creation. No retained licence for Devlyn.

Pre-existing IP

Devlyn-side tooling (CI scaffolds, internal accelerators) remains Devlyn property. Granted to client under perpetual royalty-free licence for the engagement scope.

NDA

Mutual NDA signed before any code, credentials, or roadmap context is shared. Standard 3-year term, extendable.

Background checks

Every engineer cleared before deployment. References, identity, prior-employment, and (where lawful) criminal record.

Confidentiality

Engineers bound by individual employment-level NDAs to Devlyn, with flow-through obligations to client matters.

Engineering security practices

  • Engineer workstations: full-disk encryption, MDM-managed, locked-screen policy.
  • Code repositories: 2FA required, SSO where supported, branch protections + signed commits.
  • Credentials: never stored in code. 1Password vault per engagement with rotation policy.
  • Production access: just-in-time elevation, audit-logged, no shared accounts.
  • Incident response: 24h disclosure SLA, post-mortem within 7 days.
  • Third-party tools: vendor-risk reviewed; SOC 2 / ISO 27001 evidence required for any data-processing subprocessor.

Sample MSA

Every engagement runs under a Master Services Agreement plus an engagement-specific SOW. Standard terms below. The full MSA template ships on request — usually inside the 30-minute discovery call.

  • Term: month-to-month, 30-day notice.
  • Payment: monthly invoice, net-15. ACH or wire.
  • IP: assigned to client on creation.
  • Trial: 3 days free against real work, before retainer triggers.
  • Replacement: 14-day no-charge swap, written.
  • Liability cap: 12 months of fees paid.
  • Indemnity: mutual, IP-infringement scoped.
  • Governing law: Delaware, US-domiciled clients. England + Wales for EU. Negotiable.

Disclosures

Security incidents

No reportable security incident affecting client data in the 24 months ending May 2026. Page updated quarterly; if this line is more than 90 days old, treat it as stale and ask.

Contact

Security questions, compliance audits, vendor reviews: hello@alpeshnakrani.com. 24-hour reply SLA. Disclosure window: 24 hours from discovery for any incident.