Founder-led ownership
ActiveCUB3 engagements are led by senior engineers who stay close to architecture, delivery risk, and client communication.
Operational trust center
CUB3 helps teams recover, build, and accelerate software when reliability matters. This page summarizes how we approach data protection, access control, infrastructure, AI usage, and compliance across client engagements.
Company
- Andorra-based engineering partner
- Founder-led delivery
Scope
- Project Recovery
- Venture Lab
- Dev Velocity
Contact
- contact@cub3.eu
- Documents available on request
How CUB3 builds trust
Our trust model is pragmatic: clear scope, senior ownership, controlled access, documented decisions, and no certification claim unless evidence is available.
Project separation
ActiveClient work is scoped by engagement, with separated repositories, environments, credentials, and delivery documentation where applicable.
Secure delivery habits
ActiveWe favor code review, environment isolation, dependency hygiene, and CI/CD guardrails to make delivery predictable.
Data minimization
ActiveWe request the minimum production data needed for the mission and prefer anonymized or lower-environment datasets when they are sufficient.
AI usage governance
ScopedAI-assisted work is scoped by project constraints, reviewed by engineers, and handled with client confidentiality in mind.
Evidence on request
On requestSecurity questionnaires, architecture notes, and contractual documents can be shared during procurement or an active engagement.
Data protection
CUB3 handles client information according to the mission scope, the data classes involved, and the contractual requirements agreed with the client.
Data classification before access
We clarify what data is needed, whether production access is necessary, and which records should be anonymized, masked, or excluded.
Encrypted transport and secure storage
Public web traffic is served over HTTPS. Client environments use transport encryption and platform-appropriate storage protections based on the selected infrastructure.
Retention by project agreement
Client materials are retained only as long as needed for delivery, support, legal, or contractual purposes, then removed or handed back according to the engagement.
Human review for sensitive work
Security-sensitive changes, recovery operations, and AI-assisted outputs are reviewed by senior engineers before being delivered or deployed.
Infrastructure and delivery
CUB3 adapts architecture to the business context instead of forcing a single stack. The public website and client delivery practices are designed around reliability and maintainability.
Public website hosting
- Next.js application deployed through the production AWS stack
- CloudFront in front of the Elastic Beanstalk origin
- Route53-managed domain records for cub3.eu and trust.cub3.eu
Client environments
- Cloud or client-controlled infrastructure depending on the engagement
- EU or local hosting preferences considered when data sensitivity requires it
- Environment separation for development, staging, and production when available
Delivery pipeline
- Source control and pull request review as the default collaboration model
- CI/CD guardrails for tests, builds, and deployments where the project supports them
- Secrets kept out of source code and stored in approved secret stores
Operational visibility
- Logging, metrics, and alerting adapted to the criticality of the product
- Incident notes and runbooks for recovery missions
- Technical handover documentation before ownership transfer
Access control
Access is treated as a delivery dependency: it must be sufficient to solve the problem, limited to the mission, and removable at the end.
Authentication
- Named user access preferred over shared accounts
- Multi-factor authentication enabled where supported by the client platform
- Temporary access reviewed during onboarding and offboarding
Authorization
- Least-privilege permissions aligned with the mission scope
- Production access avoided unless it is necessary and approved
- Administrative access separated from day-to-day delivery access
Secrets
- Credentials never committed to source control
- Environment variables and managed secret stores used where available
- Key rotation requested after sensitive recovery or handover work when appropriate
AI governance
CUB3 uses AI pragmatically, but not as a substitute for engineering accountability. Client constraints define what can be processed and where.
| Control | Description | Status |
|---|---|---|
| Client data in AI tools | Client data is only used with AI/model providers when the scope, data class, and provider terms are compatible with the engagement. | Scoped |
| Human-in-the-loop review | AI-assisted code, analysis, documentation, and architecture proposals remain reviewed by CUB3 engineers before delivery. | Active |
| Prompt minimization | Sensitive identifiers, credentials, raw personal data, and unnecessary production details are excluded from prompts where possible. | Active |
| Provider selection | Tooling is selected by project needs, data sensitivity, client constraints, and contractual commitments. | Project-defined |
| Traceable decisions | Material architecture and data-flow assumptions are recorded in project documentation or handover notes. | Active |
Compliance posture
CUB3 separates active frameworks, work in progress, planned programs, and evidence available on request.
GDPR
ActiveActive framework for the website and engagements: public privacy policy, data minimization, rights requests, and data processing terms by project.
NIS2
In progressNIS2 is not a certification. CUB3 monitors the relevant requirements and structures security alignment for the engagements concerned.
ISO 9001
In progressQuality management work in progress: process formalization, delivery traceability, reviews, and continuous improvement.
ISO 27001
PlannedPlanned: ISMS formalization, security policies, risk assessment, access control, and audit evidence.
Data processing terms
On requestProject-specific data processing terms can be agreed when CUB3 processes client personal data.
Security questionnaire
On requestProcurement and vendor security questionnaires can be answered during a qualified sales or client process.
Architecture evidence
Project-definedArchitecture diagrams, data-flow notes, and operational runbooks are produced when they are relevant to the engagement.
Incident response
For recovery and critical delivery work, incident response is handled with direct communication, scoped containment, and documented remediation.
Detect
Identify the signal, confirm impact, and separate symptoms from root causes.
Contain
Reduce blast radius, protect data, and stabilize the service before broader changes.
Notify
Escalate to the right client stakeholders with clear facts, risks, and decisions needed.
Remediate
Ship the fix, document the root cause, and add safeguards that prevent recurrence.
Documents
Public documents are linked directly. Security-sensitive or client-specific documents are shared after qualification.
Privacy policy
Public policy for personal data collected through the CUB3 website.
PublicOpen
Conditions of use
Rules governing access to and use of the public website.
PublicOpen
Terms of service
Commercial terms for CUB3 services.
PublicOpen
Data Processing Agreement
Project-specific data processing terms for engagements involving personal data.
On requestRequest
Security questionnaire
Vendor security answers for procurement or client due diligence.
On requestRequest
Architecture and handover notes
Project-level diagrams, runbooks, and delivery evidence when included in the engagement.
Project-definedRequest
FAQ
Short answers to the security and governance questions we expect during procurement and project scoping.
Does CUB3 host client production systems?
It depends on the engagement. CUB3 can work on client-controlled environments, cloud platforms, or dedicated infrastructure selected for the project. The hosting model is agreed during scoping.
Can CUB3 sign a DPA or security addendum?
Yes, when the project requires CUB3 to process personal data or meet specific vendor requirements, the relevant documents can be reviewed during the contracting process.
Does CUB3 use client data with AI tools?
Only when the engagement scope, data classification, provider terms, and client constraints allow it. We minimize sensitive data and keep human review in the loop.
How does CUB3 handle access at the end of a mission?
Offboarding includes handover of documentation, revocation or transfer of credentials, and recommendations for key rotation when sensitive access was involved.
Where can I send a security question?
Send security or procurement questions to contact@cub3.eu with the project context and the documents you need.
Need security details for procurement?
Send the project context, the document you need, and the expected timeline. We will answer with the right level of evidence for the engagement.