Trust & Reliability

Altimi Trust Center

Security and reliability are at the core of everything we build. We protect your data and intellectual property with enterprise-grade standards.

Security

We employ a Secure SDLC model and rigorous access controls to protect your code and intellectual property.

Data

Processed in secure EU regions (AWS & Azure) with modern TLS/AES encryption at every stage of the journey.

Compliance

ISO 27001 certified operations, ensuring full alignment with international information security management standards.

Infrastructure and Data

We ensure your data and applications are hosted in environments that meet the highest resilience standards.

Location

AWS or Azure in EU regions. Fully compliant with local regulations.

Encryption

Data encrypted at rest and in transit using TLS protocols.

Business Continuity

Regular backups and proven Disaster Recovery procedures.

High Availability

Architecture designed to eliminate single points of failure (SPOF).

Resilience Guarantee (SLA)

Recovery Time Objective (RTO)
≤ 6 hours
Recovery Point Objective (RPO)
≤ 2 hours
Backup Frequency
Every 1 hour
DR Plan Tests
At least once per year

Security & Compliance

Security at Altimi is a continuous process, not a one-off event. Our approach is based on proven engineering practices.

Least Privilege principle

Access to project resources is granted only to people directly involved in executing the task.

Secure Development & Code Review

Every line of code goes through peer review and automated vulnerability testing.

CI/CD automation

Secure deployment pipelines minimize human error and ensure environment consistency.

Testing and audits

We regularly perform internal security tests and work with external auditors to maintain ISO standards.

Secure SDLC

Security is built into every phase of the process – it is not a separate step bolted on at the end of the project. Our approach is based on three well-established frameworks:

NIST SSDF (SP 800-218)
Microsoft SDL
OWASP ASVS
01
Requirements

Defining security requirements according to OWASP ASVS Level 2; threat modeling for critical modules.

02
Design

Secure-by-design, zero-trust model, and architecture reviews focused on threats (Microsoft SDL).

03
Implementation

Secure coding guidelines, mandatory peer code review, and SAST (static application security testing).

04
Testing

DAST in the CI/CD pipeline, penetration testing, and SCA for detecting vulnerable open-source dependencies.

05
Development

Hardened CI/CD pipelines, SLSA supply chain integrity, and IaC (Infrastructure as Code) scanning.

06
Maintenance

PSIRT, Vulnerability Disclosure Policy (VDP), and SBOM generation for every release.

Vulnerability Disclosure (VDP)

Our PSIRT/VDP process provides a structured way to receive and handle vulnerability reports from security researchers and customers, with defined response SLAs.

Report Vulnerability

Privacy and Data Protection (GDPR)

We respect your privacy and the privacy of your users. We operate in line with GDPR, keeping our processing activities transparent. In most engagements we act as a data processor, providing appropriate technical and organizational safeguards.

Data Lifecycle & Retention

Project Data

Deleted or returned to the client within 30 days after the end of the engagement (unless the contract states otherwise).

Security & Audit Logs

Stored for at least 12 months for compliance and incident detection purposes.

Test Environments

Staging and test systems do not contain production personal data – we use pseudonymization or synthetic data instead.

Data Subject Rights

We respect your privacy and the privacy of your users. We operate in line with GDPR, keeping our processing activities transparent. In most engagements we act as a data processor, providing appropriate technical and organizational safeguards.

  • -> Right of access to data (Art. 15 GDPR)
  • -> Right to rectification (Art. 16 GDPR)
  • -> Right to erasure / “right to be forgotten” (Art. 17 GDPR)
  • -> Right to data portability (Art. 20 GDPR)

  • Requests are handled within an agreed SLA via dedicated tools.

Documentation & Processes

  • Record of Processing Activities (ROPA)

    We maintain documentation of all operations, enabling audits and meeting information obligations.

  • Data Processing Agreement (DPA)

    Available as a standard part of our onboarding and contracting process.

  • Breach Notification

    In case of a breach, we notify the client (data controller) within 24 hours.

Subprocessors

We work only with reputable technology providers that guarantee a high level of security. Our infrastructure and tools are based on industry-leading ecosystems.

Infrastructure
Code Management
Monitoring

Frequently Asked Questions

Quick answers to common questions about our security standards and data handling.

Do you have a SOC 2 certification?

We currently hold an ISO 27001 certification. The SOC 2 certification process is planned/in progress to confirm our high standards under the AICPA framework.

Where is my data stored?

By default, we use data centers located in the EU. On request, we can adjust the hosting location to specific legal or business requirements.

Do you offer signing a DPA or NDA?

Yes, we provide standard NDA and DPA templates, which are an integral part of our onboarding and contracting process.

Do you support projects for the pharmaceutical industry?

Yes. We have experience implementing systems compliant with 21 CFR Part 11 and EU Annex 11, including full validation documentation (IQ/OQ/PQ) and immutable audit trails.

How long do you keep my data after a project ends?

Project data is deleted or returned to the client within 30 days after the end of the engagement, unless the contract states otherwise. Security logs are stored for at least 12 months.

Still have questions?

Our experts are here to help you with technical or legal inquiries.

Security & Privacy
security@altimi.com
Legal & Contracts
legal@altimi.com