Ochroni legal
Security and Procurement Pack
This page gives buyers and vendor-review teams the current facts for Ochroni security, privacy, hosting, subprocessors, support contacts, and assurance scope.
It is a factual due-diligence pack, not a certification, legal opinion, or external audit report.
DPA availableEU hosting notedScope disclosed
Company scope
Ochroni is operated by Piotr Ciechowicz in Berlin as a B2B incident-management SaaS. Consumer subscriptions are not offered.
Data scope
Ochroni does not intentionally process special-category data, criminal-offence data, children's data, raw payment-card numbers, or AI/LLM customer-incident data in the standard service.
Procurement contact
Security reviews: security@ochroni.com
Legal and privacy: legal@ochroni.com
Review materials
Hosting, subprocessor, DPA, security-control, and support-contact information is collected here for vendor review.
Current Assurance Status
| Topic | Current answer | Assurance note |
|---|---|---|
| Hosting region | Ochroni’s public SaaS deployment is hosted on Railway in an EU region. | Hosting and deployment information is documented for buyer review. Confirm the applicable production domain in the order form or rollout brief. |
| Backup and restore | RPO 15 minutes and RTO 60 minutes are documented operational targets, not contractual SLA commitments unless separately agreed in writing. | Backup and restore procedures are documented. No public third-party restore attestation is included in the self-serve procurement materials. |
| Monitoring | Health endpoints and monitor checks exist for web, worker, scheduler, and Spacetime. | Operational monitoring procedures and service-health checks are documented for vendor review. |
| Support contacts | support@ochroni.com, security@ochroni.com, and legal@ochroni.com are the published intake addresses. | Use the address that best matches your request so it reaches the right reviewer quickly. |
| Assurance status | Ochroni does not currently claim ISO 27001, SOC 2, NIS2, KRITIS, or similar certification status. | Security controls and procurement information are documented for buyer review. |
Security Controls
- Private tables hold operational data; public views and reducers enforce tenant context.
- Email/password login uses 12-hour authenticated session freshness and current-tab sessionStorage for realtime tokens.
- No MFA, SSO/SAML, or SCIM is available in the public self-serve plan at this time.
- Public Spacetime access is restricted at the edge; administrative and database-management routes are not exposed to the public internet.
- Customer-facing outbound integration settings are not exposed in the self-serve launch plan.
- Password reset audit logs store only a non-reversible token reference, not token material.
Legal And Privacy Documents
| Document | Use |
|---|---|
| Terms of Service | B2B-only terms with German binding text and English convenience translation. |
| Privacy Policy | Controller/processor split, purposes, retention, rights, subprocessors, and contacts. |
| Data Processing Agreement | Processor obligations, TOMs, subprocessors, transfer safeguards, and return/delete handling. |
| Cookie and Browser Storage Notice | Necessary browser storage, session cookies, and optional categories. |
| Impressum | German provider identification and contact information. |
Subprocessors
| Vendor | Status | Role | Scope note |
|---|---|---|---|
| Railway | Active | Hosting and runtime for web, worker, scheduler, Spacetime, logs, and operational metadata. | Hosting, runtime, and region information is documented for buyer review. |
| Stripe | Active for paid billing | Billing, checkout, customer portal, invoices, and payment-event processing for paid plans. | Taxes, invoices, and Reverse Charge handling depend on customer and order details. |
| Mailgun/Sinch | Active | Transactional email for invites, password resets, operational notices, and billing/support messages. | Ochroni targets Mailgun’s EU API endpoint for transactional email transport. |
| Sentry | Active | Error monitoring, technical diagnostics, and application stability analysis. | Personal data transmission is configured restrictively; technical error context may still include limited identifiers or route details. |
Current Scope And Assurance Status
- Ochroni is offered as a B2B SaaS for controlled logistics and supply-chain incident-response workflows.
- Ochroni is not an emergency service, statutory reporting replacement, or substitute for customer operational, legal, or regulatory processes.
- Ochroni does not currently claim ISO 27001, SOC 2, NIS2, KRITIS, or equivalent certification status.
- Ochroni does not currently claim NIS2/KRITIS regulated-entity status. Customers subject to NIS2, BSIG, or KRITIS obligations can request security, subprocessor, incident-response, and continuity materials for supplier-risk review.
- The public self-serve plan does not currently include SSO/SAML, SCIM, MFA, or external penetration-test reports. Extended assurance documentation can be discussed for larger deployments.
- Ochroni records incident actions, timestamps, ownership, participation, and audit trails. Customers remain responsible for employee notices, works-council, labor-law, and internal-policy checks before rollout.
- Backup, recovery, monitoring, hosting, subprocessor, DPA, security-control, and support-contact information is available on this page.
- Additional vendor-review questions can be sent to security@ochroni.com or legal@ochroni.com.
Procurement, privacy, and controller questions: legal@ochroni.com
Security questionnaires and responsible disclosure: security@ochroni.com
Start from the public Security Overview and Legal Center for linked source documents.