Security & Trust

How we keep your code and data safe — written for the procurement team that will ask.

Last reviewed: June 2026

What we are NOT claiming

DevBox is not currently SOC 2 certified. As a focused engineering team, we operate under equivalent procedural controls — documented below. We believe stating this candidly is more credible than a vague badge.

Code security

Pull-request review on all production code. No direct commits to main. A senior engineer reviews every PR.
Code stored in private repositories (GitHub, GitLab, or Bitbucket per client preference).
Automated dependency vulnerability scanning in CI.
Automated secret scanning in CI.

Data handling

All client communication and data in transit is encrypted (TLS 1.2 or higher).
Client owns 100% of code delivered. Open-source dependencies are documented per project.
Client data is deleted within 30 days of engagement termination on request.
No subcontractors are engaged without prior written client approval.

Contracts

US-style MSAs and NDAs on request — templates available.
IP ownership is transferred to the client at delivery.

Reporting a security issue

Found a vulnerability or have a security concern? Email us at jorge@devbox.com.mx.

We commit to acknowledging security disclosures within 24 hours.

Working with US clients

Operational details (timezone, billing currency, communication language, named industries) are documented on our About page.

Ready to build your custom software?

Book a free discovery call. Tell us what software your business needs — we'll show you how DevBox builds it end-to-end.

We cap concurrent engagements at 4 so a senior architect reviews every line of code. Next available start: August 2026.

Book a Discovery Call Or connect on LinkedIn

Free consultation. No commitment.