How we handle your code, your data, and your risk

Code ownership

You own 100% of the source code we write for you, from the first commit. We push to your repository (GitHub, GitLab, or your self-hosted instance) — not ours. There is no “NEROOM edition” of your software you can be cut off from. If our engagement ends tomorrow, your team picks up the codebase and continues.

Licensing is explicit and permissive: the work-for-hire agreement transfers full IP to your company. We keep no usage rights, no derivative rights, and no shared infrastructure that would prevent you from walking away.

PCI experience — what we claim, and what we don't

What we claim: NEROOM engineers have shipped production work inside PCI-DSS-scoped environments — payment-card data handling, scoped network segmentation, audited deploy pipelines, key management practices that survive a QSA audit. We know what a PCI scope looks like in practice and how to keep it tight.

What we don't claim: NEROOM, LLC is not itself a PCI-certified service provider. Compliance certificates are scoped to the entity that processes or stores card data — usually your payment processor (Stripe, Adyen, etc.) and your own production environment. What we bring is the engineering practice to keep your scope small and your audit clean.

For e-commerce work, this typically means: keeping card data off your servers entirely (tokenized via the processor), proper segmentation between PCI-scoped and non-scoped systems, encryption-at-rest and in-transit by default, audit logging, and deploy pipelines that won't accidentally drag a sensitive service out of scope.

Data handling & GDPR

By default we deploy into your cloud account (your AWS, your GCP, your Azure) rather than ours. Your data sits in your tenant. Your IAM controls. Your audit trail. We get scoped, time-limited access to do the work and nothing more.

For EU customers: hosting region selection (eu-west / eu-central) is a first-class concern, not an afterthought. We design data flows so personal data does not leave the regions you specify. Data subject rights (access, deletion, export) get baked into the data model from the start — not bolted on after a complaint.

Access, secrets, and the boring-but-critical stuff

• Least-privilege access — engineers get the smallest scope of access needed for their slice of work, time-limited, revoked at offboarding.
• Secrets never in source — we use AWS Secrets Manager / SSM Parameter Store / Vault, not .env files committed by accident.
• MFA everywhere — on our side and required of any account that touches your infrastructure.
• Encryption — at rest (KMS / cloud-native), in transit (TLS 1.2+), enforced via infra-as-code rather than human discipline.
• Audit logging — CloudTrail / equivalent on by default, retained for at least 90 days, more on request.

NDAs & commercial terms

We sign mutual NDAs on request — before discovery, not after. Bring your own template or use ours. For sensitive engagements we will route discovery conversations through encrypted channels and avoid recording calls.

Commercial terms favor walking away cleanly: monthly billing, no long-term lock-in, no early-termination penalty. The strongest reason to keep working with us is that the work keeps paying off — not a contract clause.