Confidentiality & Discretion
Discretion is not a courtesy — it is an operational requirement. Every Intarmour engagement is conducted under strict confidentiality protocols designed to protect client interests at every stage.
Discretion as Standard Practice
Intarmour serves institutional clients — Private Equityfirms, Family Offices, sovereign entities, and corporate development teams — whose cybersecurity requirements are inherently sensitive. The existence of an engagement, its scope, its findings, and its recommendations are treated as confidential by default. We do not disclose that a client relationship exists unless the client expressly authorizes such disclosure.
This standard applies universally: from the first preliminary conversation through to post-engagement archival. Confidentiality obligations survive the conclusion of an engagement and remain in effect indefinitely unless released by the client in writing. Our advisory staff are contractually bound by confidentiality obligations that mirror and reinforce those in our client agreements.
Non-Disclosure Agreements
Mutual non-disclosure agreements are executed before any substantive information exchange. This is a mandatory prerequisite for all Intarmour engagements, not a formality. Our standard NDA establishes bidirectional obligations, ensuring both parties are equally protected.
The Intarmour standard NDA covers the following core terms: definition of confidential information encompassing all written, oral, and electronic disclosures; obligation of receiving party to protect confidential information using at least the same degree of care as its own confidential information; restriction on use of confidential information to the agreed purpose only; prohibition on disclosure to third parties without prior written consent; return or destruction of confidential materials upon request; and survival of obligations for a minimum of five years following disclosure, or indefinitely for trade secrets.
Clients may propose their own NDA templates. We review all proposed agreements for adequacy and reciprocity. Where client NDAs do not provide sufficient mutual protection, we recommend specific amendments. We accommodate jurisdictional requirements — NDAs may be governed by Italian, Swiss, English, or other applicable law as appropriate to the engagement.
Case Study Anonymization
Case studies and engagement summaries published by Intarmour for educational or illustrative purposes are subject to a rigorous anonymization methodology. No case study is published without explicit written authorization from the client.
Our anonymization process removes or abstracts the following identifying elements: client name, parent company, and affiliated entities; specific geographic locations beyond region-level references; exact transaction values, revenue figures, and employee counts (replaced with ranges); specific dates (replaced with relative timeframes); proprietary technology names and vendor identities; and any detail that could enable identification of the client through inference or cross-referencing with publicly available information.
Before publication, anonymized case studies are reviewed by the client for approval. The client retains the right to request additional abstraction, modifications, or withdrawal of the case study at any time. Published case studies are periodically reviewed to ensure that subsequent public disclosures or market developments have not compromised the anonymization.
Data Handling & Secure Communications
All client data — documents, findings, communications, and working files — is handled in accordance with information security standards proportionate to the sensitivity of the material. Data-at-rest is encrypted using AES-256, and data-in-transit is protected using TLS 1.3 at a minimum. All storage resides on EU-sovereign cloud infrastructure.
For sensitive communications, Intarmour offers PGP-encrypted email. Our public PGP key is available upon request through a verified channel. We also support client-specified secure collaboration platforms, encrypted file-sharing systems, and virtual data room integrations as required by engagement protocols.
Access to client data is restricted on a strict need-to-know basis. Only individuals directly assigned to an engagement have access to that engagement's data. Administrative and support personnel do not have access to client engagement materials. Access controls are enforced through technical measures including role-based access control, multi-factor authentication, and audit logging of all access events.
Information Compartmentalization
When Intarmour conducts concurrent engagements, strict information barriers are maintained between all active mandates. No information from one engagement is accessible to, shared with, or referenced in the context of another engagement. This compartmentalization is enforced through technical access controls, separate storage environments, and procedural safeguards.
This principle applies to all categories of information: client identity, engagement scope, findings, deliverables, and communications. Even generalized observations or industry benchmarks derived from engagement work are not attributed to specific clients or transferred between engagements without explicit authorization and appropriate anonymization.
Conflict of Interest Management
Before accepting any new engagement, Intarmour conducts a conflict of interest assessment. This evaluation considers current active engagements, recent past engagements, personal relationships, and any financial or commercial interest that could compromise independence or objectivity.
Where a potential conflict is identified, it is disclosed to the prospective client immediately. Depending on the nature and severity of the conflict, resolution may involve declining the engagement, obtaining informed consent from all affected parties, or implementing enhanced information barriers. Intarmour will not proceed with any engagement where a conflict cannot be adequately resolved.
In the context of M&A transactions, Intarmour will not simultaneously advise both buyer and seller in the same transaction, nor will it advise a party in a transaction where it has recently conducted advisory work for the counterparty on a related matter, unless all parties have provided informed written consent.
Post-Engagement Data Retention
Upon conclusion of an engagement, Intarmour applies a structureddata sovereignty-compliant retention and disposal process. The default retention framework is as follows, subject to modification by mutual agreement:
Final Deliverables
Archived under encryption for 10 years in accordance with Italian professional record-keeping obligations (Article 2220 of the Italian Civil Code). Access restricted to authorized personnel only.
Working Files & Drafts
Securely destroyed within 90 days of engagement conclusion. Destruction is verified and documented. Clients may request earlier destruction or extended retention in writing.
Communications
Email correspondence and meeting records retained for 24 months following engagement conclusion, then securely destroyed unless a longer period is required for legal or regulatory compliance.
Client-Provided Data
Returned to the client or securely destroyed upon engagement conclusion, at the client's election. Certificates of destruction are provided upon request.
Clients may request expedited destruction of all engagement data at any time by providing written instructions. Intarmour will execute the destruction within 30 days and provide written confirmation of completion. Regulatory or legal hold obligations may require limited retention exceptions, which are disclosed to the client.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.