Security Practices & Transparency
1. AI-Assisted Development
What It Means
Banjico uses AI-assisted development tools — including LLM-based code generation and review tools — as part of our engineering workflow. This accelerates development and improves code quality through automated review and pattern analysis.
What It Does NOT Mean
- AI does not replace engineering judgment. Every line of AI-generated code is reviewed, tested, and validated by Banjico before delivery.
- AI tools do not have access to your production environment, customer data, payment systems, or any live data your business processes.
- AI tools are not used to analyze your customers' personal information.
- We do not use AI tools that train on submitted client code. Where a tool's data retention policy permits training on inputs, that tool is excluded from client project work.
AI assistance in development is no different from an engineer using automated linting or a code review tool. The output is quality-controlled and delivered as our work product. If the code is bad, that's on us — not the tool.
2. Automated Security Scanning — Aikido Security
What Is Aikido?
Aikido Security is a third-party automated application security platform Banjico uses to identify vulnerabilities in code and infrastructure before delivery.
What Aikido Scans
| Scan Type | What It Does |
|---|---|
| SAST | Analyzes source code for security vulnerabilities — SQL injection, XSS, auth flaws, insecure dependencies |
| SCA | Scans third-party libraries and dependencies for known CVEs |
| Container Scanning | Scans Docker images and container configurations for vulnerabilities |
| IaC Security | Reviews infrastructure-as-code files for misconfigurations |
| Secret Detection | Detects accidentally committed API keys, credentials, and tokens |
What Aikido Accesses
- Source code repositories within the agreed project scope
- Infrastructure configuration files where applicable
What Aikido Does NOT Access
- Live production databases
- Customer or end-user personal data
- Payment card data or Protected Health Information
- Any system outside the agreed project scope
Aikido Security maintains SOC 2 Type II compliance. Their security documentation is available at aikido.dev/security. Banjico uses Aikido under contractual terms that restrict their use of scan data to analysis and reporting only.
3. Development Environment Isolation
Project Isolation
Each client project is maintained in its own isolated development environment. We do not co-mingle client codebases, credentials, or infrastructure access.
Credential Management
Access credentials you provide are stored in a dedicated, access-controlled password management system — never in plaintext documents, emails, or code repositories. They are accessible only to Banjico personnel working on your project and are revoked and deleted within 7 days of project close.
Network Access
When direct server or network access is required, Banjico uses encrypted connections (SSH, VPN, TLS). We do not access your systems from unmanaged or public networks.
4. Source Code Handling
During development, your source code is maintained in version-controlled repositories accessible only to Banjico personnel on your project. At project close, the complete source code is delivered to you and Banjico removes its own access. We do not retain copies after project close unless you have an active maintenance agreement.
5. Penetration Testing Process
Written Authorization First
We do not begin any active security testing without a signed authorization document specifying: systems in scope, systems out of scope, testing window, permitted methods, and the designated client point of contact.
Reporting
All findings are delivered in a written report including: executive summary, technical findings with CVSS-based severity ratings (Critical / High / Medium / Low / Informational), reproduction steps, and remediation recommendations. Findings are confidential to the client.
6. Post-Engagement Data Handling
Within 7 business days of any engagement close:
| Item | Action |
|---|---|
| Hosting & server credentials | Revoked and deleted |
| Database access credentials | Revoked and deleted |
| API keys and tokens | Revoked and deleted |
| SSH keys and VPN access | Removed |
| Source code (standard projects) | Delivered to client; Banjico copy deleted |
| Security assessment findings | Retained confidentially for 2 years; not shared |
You may request written confirmation of credential revocation and data deletion after any engagement closes.
7. Responsible Disclosure
If Banjico discovers a security vulnerability outside the agreed scope during an engagement, we will notify you immediately, document the finding, and provide initial remediation guidance — without exploiting or further probing the issue. We do not use incidental findings as leverage for additional fees.
For third-party product vulnerabilities discovered during client work, we follow coordinated responsible disclosure: notifying the vendor with a reasonable remediation window before any public disclosure.
8. What Banjico Does NOT Do
- Store your customers' personal data on Banjico-controlled systems
- Access systems outside the agreed scope, regardless of technical opportunity
- Retain source code after project close without a continuing maintenance agreement
- Share client findings with any third party without written authorization
- Use client code to train AI models
- Perform security testing without a signed written authorization
9. Your Rights During an Engagement
- Request a full accounting of what Banjico has accessed at any time
- Request immediate revocation of any specific credential or access token
- Request a copy of findings, reports, or work product at any stage
- Request confirmation of data deletion within 7 days of project close
- Terminate the engagement at any time per your project agreement
Questions or Data Requests
Banjico · Fort Wayne, Indiana
Email: lake@banjico.com
Phone: (260) 255-6668
Use subject line "Data Audit Request" or "Deletion Request." We respond within 5 business days.