Trust & Reliability

Altimi Trust Center

Security and reliability are at the core of everything we build. We protect your data and intellectual property with enterprise-grade standards.

Security

We employ a Secure SDLC model and rigorous access controls to protect your code and intellectual property.

Data

Processed in secure EU regions (AWS & Azure) with modern TLS/AES encryption at every stage of the journey.

Compliance

ISO 27001 certified operations, ensuring full alignment with international information security management standards.

Security & Compliance

Security at Altimi is a continuous process, not a one-off event. Our approach is based on proven engineering practices.

Least Privilege principle

Access to project resources is granted only to people directly involved in executing the task.

Secure Development & Code Review

Every line of code goes through peer review and automated vulnerability testing.

CI/CD automation

Secure deployment pipelines minimize human error and ensure environment consistency.

Testing and audits

We regularly perform internal security tests and work with external auditors to maintain ISO standards.

SOC 2 Status: Our processes are currently built on ISO 27001‑certified systems. In parallel, we are preparing for a SOC 2 audit to better meet market expectations.

Need more details?

security@altimi.com

Secure SDLC

Security is built into every phase of the process – it is not a separate step bolted on at the end of the project. Our approach is based on three well-established frameworks:

NIST SSDF (SP 800-218) Microsoft SDL OWASP ASVS
01 / REQUIREMENTS

Requirements

Defining security requirements according to OWASP ASVS Level 2; threat modeling for critical modules.

02 / DESIGN

Design

Secure-by-design, zero-trust model, and architecture reviews focused on threats (Microsoft SDL).

03 / IMPLEMENTATION

Implementation

Secure coding guidelines, mandatory peer code review, and SAST (static application security testing).

04 / TESTING

Testing

DAST in the CI/CD pipeline, penetration testing, and SCA for detecting vulnerable open-source dependencies.

05 / DEPLOYMENT

Deployment

Hardened CI/CD pipelines, SLSA supply chain integrity, and IaC (Infrastructure as Code) scanning.

06 / MAINTENANCE

Maintenance

PSIRT, Vulnerability Disclosure Policy (VDP), and SBOM generation for every release.

Vulnerability Disclosure (VDP)

Our PSIRT/VDP process provides a structured way to receive and handle vulnerability reports from security researchers and customers, with defined response SLAs.

Report Vulnerability: security@altimi.com

Infrastructure and Data

We ensure your data and applications are hosted in environments that meet the highest resilience standards.

Location

AWS or Azure in EU regions. Fully compliant with local regulations.

Encryption

Data encrypted at rest and in transit using TLS protocols.

Business Continuity

Regular backups and proven Disaster Recovery procedures.

High Availability

Architecture designed to eliminate single points of failure (SPOF).

Resilience Guarantee (SLA)
Recovery Time Objective (RTO)
≤ 6 hours
Recovery Point Objective (RPO)
≤ 2 hours
Backup Frequency
Every 1 hour
DR Plan Tests
At least once per year

Privacy and Data Protection (GDPR)

We respect your privacy and the privacy of your users. We operate in line with GDPR, keeping our processing activities transparent. In most engagements we act as a data processor, providing appropriate technical and organizational safeguards.

Data Lifecycle & Retention

Project Data

Deleted or returned to the client within 30 days after the end of the engagement (unless the contract states otherwise).

Security & Audit Logs

Stored for at least 12 months for compliance and incident detection purposes.

Test Environments

Staging and test systems do not contain production personal data – we use pseudonymization or synthetic data instead.

Data Subject Rights

We help our clients fulfil data subject rights under GDPR:

  • Right of access to data (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure / “right to be forgotten” (Art. 17 GDPR)
  • Right to data portability (Art. 20 GDPR)

Requests are handled within an agreed SLA via dedicated tools.

Documentation & Processes

Record of Processing Activities (ROPA)

We maintain documentation of all operations, enabling audits and meeting information obligations.

Data Processing Agreement (DPA)

Available as a standard part of our onboarding and contracting process.

Breach Notification

In case of a breach, we notify the client (data controller) within 24 hours.

Privacy Policy

Standards for Regulated Industries

We understand that many of our clients operate in tightly regulated environments. Altimi has experience in building and validating software in line with the requirements of the following sectors:

Pharma & Life Sciences FDA 21 CFR Part 11

We ensure full compliance with EU Annex 11 and FDA requirements for pharmaceutical, biotech, and medical clients.

System Validation (CSV/CSA) Documented requirements, IQ/OQ/PQ evidence following CSV principles.
Electronic Signatures Mechanisms tied to identity, designed to prevent tampering.
Audit Trail Immutable logs with timestamps, identifiers, and change descriptions.
Data Integrity (ALCOA+) Attributable, Legible, Contemporaneous, Original, Accurate.

FinTech & Financial Services

We follow practices aligned with PCI DSS for payment data protection. Our processes meet the expectations of banking and insurance regulators in the US and EU markets.

Healthcare

Experienced in delivering HIPAA-compliant systems (US) and local medical data regulations. We focus on strict data minimization and tight access control.

Organizational Security

Employees & Subcontractors

  • Mandatory NDAs: Signed by all staff before accessing any client project data.
  • Security Awareness: Annual training and regular phishing simulations for all teams.
  • Device Security: Clean Desk Policy and mandatory full-disk encryption on all endpoints.
  • Background Checks: Conducted for employees with production environment access.

Incident Management

Priority Response Escalation
P1 – Critical ≤ 1 hour ≤ 4 hours
P2 – High ≤ 4 hours ≤ 8 hours
P3 – Medium ≤ 24 hours ≤ 48 hours

Patch Management: Critical security patches (CVSS ≥ 9.0) are applied within 24–72 hours.

Public Status Page

Real-time incident notifications and availability history.

Summary Reports

Security reports available to customers upon request.

Disclosure Policy

Publicly available Responsible Disclosure Policy.

Subprocessors

We work only with reputable technology providers that guarantee a high level of security. Our infrastructure and tools are based on industry-leading ecosystems.

Infrastructure
AWS
Azure
Google Cloud
Code Management
GitHub
GitLab
Monitoring
Datadog
Sentry
New Relic
A complete and up-to-date list of subprocessors is available to our customers on request. Contact Legal Team

Frequently Asked Questions

Quick answers to common questions about our security standards and data handling.

Do you have a SOC 2 certification?
We currently hold an ISO 27001 certification. The SOC 2 certification process is planned/in progress to confirm our high standards under the AICPA framework.
Where is my data stored?
By default, we use data centers located in the EU. On request, we can adjust the hosting location to specific legal or business requirements.
How can I report a security incident?
Please send any reports about potential vulnerabilities or security incidents directly to security@altimi.com. Our team treats these reports as a priority.
Do you offer signing a DPA or NDA?
Yes, we provide standard NDA and DPA templates, which are an integral part of our onboarding and contracting process.
Do you support projects for the pharmaceutical industry?
Yes. We have experience implementing systems compliant with 21 CFR Part 11 and EU Annex 11, including full validation documentation (IQ/OQ/PQ) and immutable audit trails.
How long do you keep my data after a project ends?
Project data is deleted or returned to the client within 30 days after the end of the engagement, unless the contract states otherwise. Security logs are stored for at least 12 months.

Still have questions?

Our experts are here to help you with technical or legal inquiries.

Security & Privacy security@altimi.com
Legal & Contracts legal@altimi.com
Trust & Reliability

Altimi Trust Center

Security and reliability are at the core of everything we build. We protect your data and intellectual property with enterprise-grade standards.

Security

We employ a Secure SDLC model and rigorous access controls to protect your code and intellectual property.

Data

Processed in secure EU regions (AWS & Azure) with modern TLS/AES encryption at every stage of the journey.

Compliance

ISO 27001 certified operations, ensuring full alignment with international information security management standards.

Security & Compliance

Security at Altimi is a continuous process, not a one-off event. Our approach is based on proven engineering practices.

Least Privilege principle

Access to project resources is granted only to people directly involved in executing the task.

Secure Development & Code Review

Every line of code goes through peer review and automated vulnerability testing.

CI/CD automation

Secure deployment pipelines minimize human error and ensure environment consistency.

Testing and audits

We regularly perform internal security tests and work with external auditors to maintain ISO standards.

Secure SDLC

Security is built into every phase of the process – it is not a separate step bolted on at the end of the project. Our approach is based on three well-established frameworks:

NIST SSDF (SP 800-218)Microsoft SDLOWASP ASVS
01 / REQUIREMENTS

Requirements

Defining security requirements according to OWASP ASVS Level 2; threat modeling for critical modules.

02 / DESIGN

Design

Secure-by-design, zero-trust model, and architecture reviews focused on threats (Microsoft SDL).

03 / IMPLEMENTATION

Implementation

Secure coding guidelines, mandatory peer code review, and SAST (static application security testing).

04 / TESTING

Testing

DAST in the CI/CD pipeline, penetration testing, and SCA for detecting vulnerable open-source dependencies.

05 / DEPLOYMENT

Deployment

Hardened CI/CD pipelines, SLSA supply chain integrity, and IaC (Infrastructure as Code) scanning.

06 / MAINTENANCE

Maintenance

PSIRT, Vulnerability Disclosure Policy (VDP), and SBOM generation for every release.

Vulnerability Disclosure (VDP)

Our PSIRT/VDP process provides a structured way to receive and handle vulnerability reports from security researchers and customers, with defined response SLAs.

Report Vulnerability: security@altimi.com

Infrastructure and Data

We ensure your data and applications are hosted in environments that meet the highest resilience standards.

Location

AWS or Azure in EU regions. Fully compliant with local regulations.

Encryption

Data encrypted at rest and in transit using TLS protocols.

Business Continuity

Regular backups and proven Disaster Recovery procedures.

High Availability

Architecture designed to eliminate single points of failure (SPOF).

Resilience Guarantee (SLA)
Recovery Time Objective (RTO)
≤ 6 hours
Recovery Point Objective (RPO)
≤ 2 hours
Backup Frequency
Every 1 hour
DR Plan Tests
At least once per year

Privacy and Data Protection (GDPR)

We respect your privacy and the privacy of your users. We operate in line with GDPR, keeping our processing activities transparent. In most engagements we act as a data processor, providing appropriate technical and organizational safeguards.

Data Lifecycle & Retention

Project Data

Deleted or returned to the client within 30 days after the end of the engagement (unless the contract states otherwise).

Security & Audit Logs

Stored for at least 12 months for compliance and incident detection purposes.

Test Environments

Staging and test systems do not contain production personal data – we use pseudonymization or synthetic data instead.

Data Subject Rights

We help our clients fulfil data subject rights under GDPR:

  • Right of access to data (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure / “right to be forgotten” (Art. 17 GDPR)
  • Right to data portability (Art. 20 GDPR)

Requests are handled within an agreed SLA via dedicated tools.

Documentation & Processes

Record of Processing Activities (ROPA)

We maintain documentation of all operations, enabling audits and meeting information obligations.

Data Processing Agreement (DPA)

Available as a standard part of our onboarding and contracting process.

Breach Notification

In case of a breach, we notify the client (data controller) within 24 hours.

Privacy Policy

Standards for Regulated Industries

We understand that many of our clients operate in tightly regulated environments. Altimi has experience in building and validating software in line with the requirements of the following sectors:

Organizational Security

Employees & Subcontractors

  • Mandatory NDAs:Signed by all staff before accessing any client project data.
  • Security Awareness:Annual training and regular phishing simulations for all teams.
  • Device Security:Clean Desk Policy and mandatory full-disk encryption on all endpoints.
  • Background Checks:Conducted for employees with production environment access.

Incident Management

PriorityResponseEscalation
P1 – Critical≤ 1 hour≤ 4 hours
P2 – High≤ 4 hours≤ 8 hours
P3 – Medium≤ 24 hours≤ 48 hours

Subprocessors

We work only with reputable technology providers that guarantee a high level of security. Our infrastructure and tools are based on industry-leading ecosystems.

Infrastructure
AWS
Azure
Google Cloud
Code Management
GitHub
GitLab
Monitoring
Datadog
Sentry
New Relic
A complete and up-to-date list of subprocessors is available to our customers on request.Contact Legal Team

Frequently Asked Questions

Quick answers to common questions about our security standards and data handling.

Do you have a SOC 2 certification?
We currently hold an ISO 27001 certification. The SOC 2 certification process is planned/in progress to confirm our high standards under the AICPA framework.
Where is my data stored?
By default, we use data centers located in the EU. On request, we can adjust the hosting location to specific legal or business requirements.
How can I report a security incident?
Please send any reports about potential vulnerabilities or security incidents directly tosecurity@altimi.com. Our team treats these reports as a priority.
Do you offer signing a DPA or NDA?
Yes, we provide standard NDA and DPA templates, which are an integral part of our onboarding and contracting process.
Do you support projects for the pharmaceutical industry?
Yes. We have experience implementing systems compliant with 21 CFR Part 11 and EU Annex 11, including full validation documentation (IQ/OQ/PQ) and immutable audit trails.
How long do you keep my data after a project ends?
Project data is deleted or returned to the client within 30 days after the end of the engagement, unless the contract states otherwise. Security logs are stored for at least 12 months.

Still have questions?

Our experts are here to help you with technical or legal inquiries.

Security & Privacysecurity@altimi.com
Legal & Contractslegal@altimi.com