Your code. Your data. Our posture.

Every line of code shipped on a PowerDev engagement runs through paid API keys on Anthropic, OpenAI, and Google's developer APIs. Under each provider's API terms, customer inputs sent through the API are not used to train future models. That's the contractual guarantee that covers your code, your data, and your prompts:

• Anthropic API — per Anthropic's Commercial Terms, API inputs and outputs are not used to train Claude models.
• OpenAI API — per OpenAI's API data usage policy, data submitted via the API is not used to train OpenAI models by default.
• Google AI API (paid tier) — per Google's generative AI data policies, paid-tier API prompts and responses are not used to train Google models or accessed by humans for model improvement.

Each engagement uses its own keys; we rotate them per environment. Code review, builds, deploys, and the autonomous workflows all flow through these API paths — never through a chat UI.

Honest disclosure: for non-engagement work (research reading, ideation, documentation drafting that doesn't touch your code or your data) we sometimes use the consumer Max-tier subscriptions of these labs. Those plans have different terms — they may use prompt content for service improvement under the consumer policies. We don't put your code, your data, or your secrets through those surfaces. If your engagement requires we restrict to API-only across the board, say so on the first call and we'll write that into the engagement.

We don't have enterprise-tier contracts with the labs yet. As we sign more compliance-driven engagements, that's the natural next step — and we'll pass the additional protections through.

Per-engagement infrastructure, in your tenant or ours by mutual agreement. We don't have a shared cloud account everyone gets pooled into.

Defaults we use:

• Cloud: Azure (US regions) for ERP / EDI / enterprise integration work; Vercel + Supabase (US regions) for web work; whatever the engagement requires for AOS deployments.
• Team: 100% US-based. Atlanta, Georgia. No offshore handoffs.
• Model API endpoints: US regions on all three lab providers.
• Data flow: code and data move only between systems we've explicitly approved per engagement. New egress destinations require approval before they're added.

If your industry or jurisdiction requires data to stay in a specific region or tenant, that's part of the engagement scope on day one.

Secrets never live in code, never live in env files committed to git, never live in chat history.

• 1Password Business via service-account access for the workspace credential store.
• Per-environment Azure Key Vault on engagements that use Azure (RBAC-managed, accessed via Managed Identity, not access keys). Function apps consume secrets via @Microsoft.KeyVault references, not raw env values.
• Doppler-managed secrets on engagements that use Vercel + Supabase, synced per environment (dev / staging / prod).
• Sensitive partner-facing secrets (function host keys, OAuth client secrets, M2M tokens) are regenerated from the source of truth (Azure / Auth0 / 1Password) on demand. They're never copied into committed documentation, and they're scrubbed from any handoff packets.
• Backups of secret material live in encrypted vaults with the same access posture as the live secrets.

This isn't a theoretical posture. Read the case studies — every shipped engagement uses this approach.

Every change is reviewed before merge. Cross-model adversarial review on the engineering work — one model writes, another reviews, blind spots cancel out. The five-agent PR gate (security review, QA, DevOps, docs, paired senior dev review) runs on every change in the autonomous pipeline.

Production-touching agents log every action they take. The sales-quote agent logs the input and the generated quote. The autonomous bug-fix pipeline logs every model decision and writes the postmortem to Confluence with the regression test that prevents recurrence. The knowledge graph captures every fix as a permanent learning so we don't ship the same bug twice.

If you need an audit trail of what the agents did during an engagement, it exists by design.

We're a small company. The list below is what we do NOT have, stated honestly so you don't waste a call on it:

• Not SOC 2 certified. Engineering posture is enterprise-grade, the audit isn't done. If your procurement requires a SOC 2 report, that's a real conversation, not a checkbox we'll claim.
• Not HIPAA-certified. We've shipped systems for regulated environments, but if PHI handling is core to your workload, scope and BAAs need to be discussed.
• Not ISO 27001 certified.
• Not FedRAMP authorized.
• Not on enterprise-tier contracts with the LLM labs yet — we run on paid API plans (no-training guarantees apply) and consumer Max plans for non-engagement work. Enterprise lab contracts are the natural next step as compliance-driven engagements come in.
• Not a managed-cloud provider — we build software, we don't run a hosted SaaS platform.

If any of these are hard requirements for your buyer, tell us before we sign anything. We'll either scope around them, partner with someone who has them, or be honest that we're not the right fit.