Blog
The DPA + Mutual NDA Stack: What Real Data Security with a Remote Team Looks Like
"How do I know my data is safe?" is the question every owner asks before engaging a remote team — and the answer they usually get is a soothing reassurance instead of a specific list of controls. That's a problem, because "we take security seriously" is not a control. It's a slogan.
Real data security with a remote workforce is a stack. It's a layered combination of legal agreements, technical controls, and operational practices. Each layer addresses a specific failure mode. If any layer is missing, the others can't compensate.
This article walks through every layer of the stack AYKEE uses on real engagements — what each one does, why it matters, and what its absence would actually expose. We publish it because clients deserve to know what they're paying for.
The Two Failure Modes Security Has to Address
Strip away the jargon and there are only two ways your data gets compromised in a remote engagement:
- Unauthorized disclosure. Information leaves the engagement when it shouldn't — copied, shared, screenshotted, retained after termination, or accessed by someone not assigned to your account.
- Unauthorized access or modification. Someone reaches into your systems and reads, changes, or destroys data they had no business touching.
Every control in the stack maps to one of those two failure modes. If a vendor can't tell you which control addresses which failure mode, they don't have a security program — they have marketing copy.
Layer 1: The Legal Foundation
Without a legal foundation, every other control is voluntary. Legal documents create the consequences that make technical controls enforceable.
Mutual Non-Disclosure Agreement Legal
Signed before any kickoff call where confidential information might be discussed — usually before the first scoping meeting. Covers both directions: AYKEE's confidential information and the client's. The Mutual NDA defines what is confidential, how long obligations last after the engagement ends (typically 3–5 years for trade information; indefinite for trade secrets), and what remedies apply for breach.
What its absence would expose: No legal recourse if confidential information is disclosed. Verbal commitments aren't enforceable. Casual remarks during scoping calls have no protection.
Data Processing Agreement (DPA) Legal
Signed before any access to systems containing client data. The DPA goes well beyond the NDA — it specifies how data is processed, where it can be stored (typically: nowhere outside client systems), retention periods, deletion procedures at termination, sub-processor restrictions, breach notification timelines, and audit rights.
Critical clauses in the AYKEE DPA include:
- No local copies of client data on personal devices
- No personal cloud storage (personal Gmail, Dropbox, etc.) for any client artifact
- Breach notification within 24 hours of detection
- Right to revoke access immediately at any time, for any reason, with no penalty
- Data deletion confirmation upon engagement termination
What its absence would expose: No defined obligations on how data is handled day-to-day. No notification requirements if something goes wrong. No deletion guarantee at the end of the engagement.
Acceptable Use Policy and Confidentiality Acknowledgement Legal
Signed by every individual remote professional — not just AYKEE as a company. This makes the obligations personal to the person actually doing the work, not just contractual between two business entities. It explicitly prohibits screen recording, photography of monitors, sharing of credentials, and use of personal accounts for client work.
What its absence would expose: Obligations that only bind the company, not the individual. A professional could leave the firm with no personal liability for what they did during the engagement.
Layer 2: Access Architecture
Legal documents create the rules. Access architecture creates the boundaries that make those rules technically enforceable.
Role-Based Access Control (RBAC) Technical
Each remote professional is provisioned with the minimum access required for their assigned role. An AP/AR specialist gets access to accounts payable and receivable modules — not payroll. A staff accountant gets the GL but not banking. A construction accounting professional gets the job costing system but not customer master data they don't need.
This is enforced inside your systems using your permissions — not by trusting the professional to "stay in their lane."
What its absence would expose: One credential with full access to everything. A single compromised account becomes a full-system breach instead of a contained one.
Multi-Factor Authentication (MFA) — Required, No Exceptions Technical
Every login to every client system goes through MFA. Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) — not SMS, which is vulnerable to SIM-swap attacks. If a client system doesn't support MFA natively, access is brokered through a service that does (e.g., a password manager with MFA gating, or an SSO provider).
What its absence would expose: A single phished or leaked password becomes full access. Industry breach data consistently shows that 80%+ of breaches involve stolen credentials, and MFA defeats the overwhelming majority of those attacks.
Dedicated Credentials, Never Shared Technical
Every professional has their own login. Credentials are never shared, never written down, and never re-used between professionals. This is enforced through a password manager (1Password, Bitwarden, or the client's preferred solution) with audit logging.
When an engagement ends, that specific account is deprovisioned within one business day — without disrupting any other access.
What its absence would expose: No accountability. If two people share a login, audit logs can't tell you who actually did what. Termination becomes a fire drill of "which systems still have the old password."
VPN or Conditional Access for Sensitive Systems Technical
For systems holding regulated data (PII, PHI, financial account data) or for clients in regulated industries, access is restricted to whitelisted IPs through a VPN or conditional access policy. The professional connects from a known, controlled network endpoint — not "any internet connection from anywhere."
What its absence would expose: System access from any device, any network, anywhere in the world — with no way to detect or block compromised endpoints.
Layer 3: Data Handling Discipline
Even with perfect access controls, data security still depends on what happens once a professional is logged in. This is where most security programs quietly break down.
Work Stays in Your Environment Operational
The single most important rule: client data does not leave the client environment. Documents are reviewed inside your document management system. Spreadsheets are edited inside your cloud tenant. Reports are generated inside your reporting tool. Nothing is downloaded to the professional's local machine, ever, unless an explicit, time-limited exception has been authorized in writing by the client.
This is enforced by SOPs, by access design (cloud-first tools), and by audit. It's the operational discipline that makes the legal and technical controls actually mean something.
What its absence would expose: A growing pool of client data scattered across personal devices that AYKEE doesn't control and the client can't audit. Even with perfect intent, this is how breaches happen.
No Personal Accounts for Client Work Operational
Client work never touches a personal Gmail, personal Dropbox, personal WhatsApp, or any other personal account. Communication channels are explicitly defined per engagement: client-tenant Slack, client-tenant Teams, or client portal messaging. If something doesn't fit those channels, it gets escalated through the operations manager — not routed around the rules.
What its absence would expose: Client data flowing through accounts AYKEE has no visibility into and the client has no recourse against.
Encrypted Transport for Everything Technical
Every connection is HTTPS or equivalent encrypted transport. Email containing sensitive data uses TLS-enforced channels (or end-to-end encryption where the client requires it). File transfers use SFTP, HTTPS file portals, or encrypted document management — never plain FTP, never personal cloud share links.
What its absence would expose: Anyone on a network path between the professional and the client system could intercept data in flight. Public Wi-Fi becomes a free wiretap.
Layer 4: Audit and Detection
Prevention isn't perfect. The next layer is making sure that if something goes wrong, you know — quickly, specifically, and with enough information to respond.
Audit Logging at the System Level Technical
Audit logging happens inside your systems — QuickBooks, NetSuite, IFS, your portal, your CRM — under each professional's individual login. Every access, every transaction, every report run is attributed to a specific person at a specific time. This is the same logging your in-house staff is subject to.
What its absence would expose: No way to investigate after an incident. No way to confirm scope of access. No way to demonstrate compliance to your own auditors.
Operations Manager Review of Anomalies Operational
The U.S.-based operations manager performs periodic reviews of access patterns, time-on-system, and deliverable cadence. Anomalies — a login at 3 AM local, a sudden volume spike, a deliverable that doesn't match the SOP — surface as questions to the professional within days, not months.
What its absence would expose: Subtle drift goes unnoticed until it becomes a real problem. The "first sign of trouble" arrives months later, after damage is done.
Layer 5: Incident Response
Even strong stacks have failures. The final layer is what happens when something does go wrong.
Defined Breach Notification SLA Legal
The DPA commits AYKEE to notifying the client within 24 hours of any confirmed or reasonably suspected security incident affecting their data. The notification includes what was affected, what is known about scope, what immediate containment has been performed, and what's still being investigated. The clock starts when AYKEE detects the issue, not when investigation completes.
What its absence would expose: The client finds out from a third party — or worse, from a regulator. Containment time is the difference between an incident and a breach.
Immediate Access Revocation Authority Operational
The client retains the right to revoke any AYKEE professional's access immediately, for any reason, with no notice required and no contractual penalty. The DPA explicitly preserves this right.
What its absence would expose: A scenario where the client suspects an issue but has to negotiate with the vendor before access is removed. That delay is exactly when damage compounds.
Termination Deletion Confirmation Legal
At engagement end, AYKEE provides written confirmation that all client data — to the extent any was permitted to leave the client environment for legitimate reasons — has been deleted from AYKEE systems and the professional's working environment. This is a documented, auditable event.
What its absence would expose: A long tail of client data sitting in places nobody is tracking, indefinitely.
What This Looks Like End-to-End
Stitching the stack together, here's the chronological reality of how a single professional joins, works, and exits a client engagement:
| Stage | Active Controls |
|---|---|
| Initial scoping | Mutual NDA signed before any specifics discussed |
| Engagement letter | DPA executed; Acceptable Use Policy signed by individual professional |
| System provisioning | RBAC + MFA + dedicated credentials + VPN where required |
| Daily work | Work stays in client environment; encrypted transport; no personal accounts |
| Ongoing oversight | System audit logs + operations manager anomaly review |
| Incident (if any) | 24-hour notification; client revocation authority preserved |
| Engagement end | Same-day deprovisioning + written deletion confirmation |
Questions Worth Asking Any Remote Team Provider
Whether you engage AYKEE or someone else, here are the questions that separate marketing copy from real controls. If a provider can't answer all of them in writing, you're looking at a security narrative — not a security program.
- "Will you sign a Mutual NDA and a separate Data Processing Agreement before any system access?"
- "Does each individual professional sign a personal confidentiality acknowledgement, or only the company?"
- "How is access scoped — by role, by individual, or by company?"
- "Is MFA required for every system, or optional?"
- "What is your written breach notification SLA?"
- "Can I revoke any individual's access immediately, with no penalty, for any reason?"
- "What confirmation do I receive that data is deleted at engagement end?"
None of those questions should require a follow-up email to answer. If they do, that's the answer.
The Bottom Line
Data security with a remote team is not a slogan, a logo, or a one-line claim about being "U.S.-managed." It's a stack — legal documents that create real obligations, technical controls that enforce them, operational discipline that holds the line day-to-day, and an incident response model that limits damage when something goes wrong.
AYKEE publishes the stack because the only honest way to earn trust on data is to be specific about what you do — and what you would expose if you didn't.