Confidentiality & IP Protection
Our contractual commitments and operational practices for protecting what you share with us.
Non-Disclosure Agreements
Employee NDAs
Every Soal Labs team member signs a comprehensive NDA upon joining:
Scope:
- Covers all client information encountered during employment
- Survives termination of employment
- Includes non-solicitation provisions
- Covers both written and verbal disclosures
Enforcement: NDA violations are grounds for immediate termination and potential legal action
Client-Specific NDAs
In addition to employee NDAs, we execute project-specific NDAs with clients:
- Signed before any confidential information is shared
- Customizable terms based on client requirements
- Can include mutual or one-way confidentiality
- Covers all team members assigned to the engagement
We’re flexible on NDA terms.
Code and Work Product
No Code Reuse Policy
We do not reuse code across client engagements.
This means:
- Code written for Client A is never used for Client B
- No “starter templates” derived from previous client work
- No copying of architectures, schemas, or configurations
- Each engagement starts fresh
Why this matters: Your competitive advantage stays yours.
Work Product Ownership
Standard engagement terms specify:
- All code and deliverables are client property
- Work product assigned to client upon creation
- We retain no rights to use, modify, or distribute
- Source code and documentation transferred at engagement end
IP terms can be negotiated per engagement.
Repository Practices
For code-based engagements:
- Code lives in client-controlled repositories when possible
- If we host repositories, they’re isolated per client
- No cross-client repository access
- Repository access revoked immediately at engagement end
- We don’t fork or copy client repositories
Information Handling
Classification
We treat all client information as confidential by default:
| Type | Handling |
|---|---|
| Source code | Encrypted storage, access-controlled, no copies outside designated systems |
| Business documents | Encrypted, need-to-know access within assigned squad |
| Credentials/secrets | Vault storage, never in code or documents, rotated at engagement end |
| Personal data (if applicable) | Handled per data protection requirements, minimized where possible |
Data Minimization
We operate on a “minimum necessary” principle:
- Request only access needed for the engagement
- Don’t retain data beyond project needs
- Delete or return data at engagement conclusion
- Don’t aggregate data across clients
Secure Deletion
At engagement end:
- All client data deleted from our systems
- Confirmation of deletion provided upon request
- Repository access revoked
- Credentials rotated or revoked
- Devices wiped (if client-provided) or client data removed (if Soal-provided)
Communication Security
What We Don’t Discuss
Team members are trained never to disclose:
- Client names without permission
- Project details to anyone outside the assigned squad
- Technical implementations, architectures, or approaches
- Business information learned during engagement
- That a client relationship even exists (unless public)
External Communications
- No client information in public channels (social media, blogs, etc.)
- Case studies or references require explicit client approval
- Speaking engagements don’t reference client-specific work
Subcontractors
If subcontractors are needed (disclosed and approved):
- Same NDA requirements as employees
- Same access restrictions and controls
- Background checks where applicable
- Client approval required before engagement
Audit & Verification
We can demonstrate compliance with confidentiality commitments:
- NDA records available for review
- Access logs showing who accessed what
- Repository activity logs
- Deletion confirmations
- Training records showing confidentiality education
Personnel Security
Background Checks
We conduct background checks on all team members as part of the hiring process and on a recurring basis thereafter:
- Background checks are completed prior to granting access to client systems
- Checks are repeated annually
- Scope is appropriate to role and access level
- Any material issues result in access denial or removal
Background checks are also required for any approved subcontractors prior to engagement.