Principles of Engagement

Last updated: 2025-01-15

Operate in law. Protect people. Preserve evidence. Deliver decision advantage. These principles set non-negotiable boundaries for every engagement.

1) Legal compliance

  • Activities remain within applicable law and the contracted scope.
  • No unauthorized access, intrusion, exploitation, or evasion of technical controls.
  • No unlawful social engineering or inducement to commit unlawful acts.
  • Sanctions & export controls apply to all work and counterparties (EU/UK/US at minimum).

2) Confidentiality & security

  • Every engagement is covered by a written agreement and NDA.
  • Communications use encrypted channels; access is role-based and logged.
  • Data handling follows SOC 2-aligned practices (not SOC 2 certified): encryption in transit/at rest, RBAC/least-privilege, logging/monitoring, vulnerability management, incident response.

3) Ethical guardrails

  • No coercion, intimidation, harassment, or human-rights violations.
  • No unlawful targeting of protected classes, journalists, or uninvolved civilians.
  • No misrepresentation to obtain privileged or protected data or to impersonate protected roles.
  • Deviant may decline or terminate work where misuse risk is unacceptable.

4) Client sovereignty

  • Client defines scope, priorities, and escalation paths in writing.
  • Deviant delivers assessments and decision protocols; client retains decision authority.
  • Material risk posture changes require written re-authorization before escalation.

5) Source handling & provenance

  • Every material claim carries provenance, timestamp, collection method, and confidence.
  • Time-decay is tracked; one-off anomalies do not overwrite the operational record.
  • Multi-source corroboration is required before promoting disputed claims.

6) Collection boundaries

  • Open-source, licensed, and client-provided information only, unless otherwise authorized by law and contract.
  • HUMINT requires voluntary participation and documented consent where applicable.
  • No acquisition or trade of illicit data; no botnets, malware, exploits.
  • Respect platform terms and local law for web collection. Geospatial/telemetry must comply with licensing and local law.

7) Conflicts, anti-corruption, sanctions

  • Conflicts of interest are disclosed and managed; no acting for adverse parties on overlapping scopes.
  • Zero tolerance for bribery, kickbacks, or facilitation payments.
  • Counterparties are screened against EU/UK/US sanctions lists.

8) Incident response & escalation

  • Suspected legal/security incidents are contained and escalated to the client within agreed SLAs.
  • Chain-of-custody is preserved for evidentiary materials; actions are auditable.

9) Subcontractors & oversight

  • Subprocessors and partners are bound to equivalent contractual and security obligations.
  • Client is notified of material subcontractor changes; approval where contractually required.

10) Data residency, retention & deletion

  • Residency and transfer controls follow client requirements and law.
  • Data is minimized and retained only as necessary for the engagement and legal obligations.
  • Post-engagement deletion or return occurs per contract; deletion certificates available on request.

11) Automated tools

  • Automated analysis tools may be used under these controls.
  • Client data is not used to train tools or models without express written authorization.

12) Review cadence & precedence

  • These principles are reviewed at least annually or upon material legal change.
  • This page is policy. Where a contract or law conflicts, the contract or law controls.

Contact: legal@thedeviantgroup.com for questions about these principles.