Built for the procurement review.
An Ofreygo engagement is designed so that your CISO, head of Legal, and procurement team all sign off in days, not weeks. This page documents the access model, data handling, legal posture, and certification roadmap we operate against.
Last updated: April 2026
How we handle your data
Read-only, scoped, revocable
Ofreygo never requests persistent admin. All discovery runs against per-engagement, read-only tokens your team provisions and can kill at any moment. No write operations. No retained access after delivery.
Least-privilege by source
Each discovery source is scoped to the minimum data required. SSO log export, expense CSV, Slack search token, GitHub organization read — nothing broader than the synthesis requires.
90-day data retention
All discovery data is deleted from Ofreygo systems no later than 90 days after engagement close. Final deliverables (landscape report, risk register, roadmap) remain your property and are not retained on our side.
Mutual NDA + DPA
We sign your paper. Mutual NDA is executed before any discovery work begins. A standard DPA covers any personal data touched during the engagement. Both templates are available on request for legal review.
Where your data may reside
Ofreygo operates with a deliberately small footprint. The following services support engagement delivery. A current list is maintained here and included in the security review packet.
| Processor | Purpose | Data | Region |
|---|---|---|---|
| Netlify | Website hosting and form submissions | Inbound contact/form data (name, email, company, message) | US |
| Calendly | Discovery call scheduling | Name, work email, selected meeting time | US |
| Google Workspace | Email, calendar, and document collaboration | Engagement communications; scoped to minimum necessary | US |
| Plausible | Privacy-preserving analytics on ofreygo.com | Aggregate, non-identifying page views | EU |
Posture and roadmap
SOC 2 Type I
Controls scoped against CC1–CC9, CC6.1, CC7.2. Policies mapped during audit engagement intake.
ISO 27001 posture
Annex A controls mapped in the governance framework starter delivered to every client.
NIST AI Risk Management Framework
Govern, Map, Measure, and Manage functions are the backbone of the audit methodology. Discovery findings are categorized against NIST AI RMF functions in every risk register.
What happens if something goes wrong
Notification timeline
Ofreygo commits to notifying engagement points-of-contact of any suspected security incident involving client data within 24 hours of detection.
Escalation path
Founder-led response today; escalation to client CISO and legal within 4 hours of confirmed incident. Documented runbook available on request.
Business continuity
All engagement artifacts are versioned and mirrored across two independent cloud providers. Founder-availability continuity plan documented in the security review packet.
Request the full security review packet
A single PDF covering architecture, data flow, retention, legal templates (mutual NDA and DPA), sub-processors, incident-response runbook, and business-continuity plan. Sent to your work email within one business day under mutual NDA.
No marketing. Sent under mutual NDA.
Ready to see your AI landscape?
Book a 20-minute call. We’ll walk through your current setup and decide together whether an Ofreygo Audit is a fit.
Where Mission Meets Compliance