Ochroni legal
Security and Procurement Pack
This page gives buyers and vendor-review teams the current facts for Ochroni security, privacy, hosting, subprocessors, support contacts, and known launch limitations.
It is a factual due-diligence pack, not a certification, legal opinion, or external audit report.
DPA availableEU-hosting evidenceLimitations disclosed
Company scope
Ochroni is operated by Piotr Ciechowicz in Berlin as a B2B incident-management SaaS. Consumer subscriptions are not offered.
Data scope
Ochroni does not intentionally process special-category data, criminal-offence data, children's data, raw payment-card numbers, or AI/LLM customer-incident data at launch.
Procurement contact
Security reviews: security@ochroni.com
Legal and privacy: legal@ochroni.com
Repository pack
The source-controlled pack is stored at docs/procurement/security-procurement-pack-2026-04-29.md.
Current Evidence Status
| Topic | Current answer | Evidence or limitation |
|---|---|---|
| Hosting region | Railway is the active hosting subprocessor. Current production services were verified in europe-west4-drams3a. | Production-account setup evidence exists, but final-domain evidence remains blocked under P0-07/P0-09. |
| Backup and restore | RPO 15 minutes and RTO 60 minutes are documented targets. Data-directory snapshots are the primary restore source. | P0-06 remains blocked; there is no completed production-like off-host restore proof yet. |
| Monitoring | Health endpoints and monitor checks exist for web, worker, scheduler, and Spacetime. | P0-08 remains blocked until continuous monitors, alert routing, and a delivered test alert are archived. |
| Support contacts | support@ochroni.com, security@ochroni.com, and legal@ochroni.com are the published intake addresses. | P0-07 still requires inbound/outbound inbox validation and owner/backup-owner evidence. |
| Assurance status | Ochroni has not completed an external security certification, SOC 2 report, ISO 27001 certification, penetration test, or formal third-party audit. | A P1-11 threat model and external attack-surface review exists, but it is not a certification, penetration test, or formal third-party audit. |
Security Controls
- Private tables hold operational data; public views and reducers enforce tenant context.
- Email/password login uses 12-hour authenticated session freshness and current-tab sessionStorage for realtime tokens.
- No MFA or SSO is available at launch; fake MFA claims and code paths were removed.
- Public Spacetime access is restricted at the edge, with publish/call/SQL routes blocked from the public internet.
- Customer webhook delivery is HTTPS-only with private-network blocking, timeout, response-size cap, redirect blocking, and DNS rebinding protection.
- Password reset audit logs store only a SHA-256 reset-token reference, not token material.
Legal And Privacy Documents
| Document | Use |
|---|---|
| Terms of Service | B2B-only terms with German binding text and English convenience translation. |
| Privacy Policy | Controller/processor split, purposes, retention, rights, subprocessors, and contacts. |
| Data Processing Agreement | Processor obligations, TOMs, subprocessors, transfer safeguards, and return/delete handling. |
| Cookie and Browser Storage Notice | Necessary browser storage, session cookies, and optional categories. |
| Impressum | German provider identification and contact information. |
Subprocessors
| Vendor | Status | Role | Current limitation |
|---|---|---|---|
| Railway | Active | Hosting and runtime for web, worker, scheduler, Spacetime, logs, and operational metadata. | Final-domain, restore-proof, and continuous-monitoring evidence remain tracked under P0-06/P0-07/P0-08/P0-09. |
| Stripe | Conditional | Billing, checkout, customer portal, invoices, and payment-event processing when paid billing is enabled. | Live Stripe, VAT, portal, invoice, and webhook evidence remain tracked under P0-07/P1-06. |
| Mailgun/Sinch | Conditional | Transactional email for invites, password resets, operational notices, and billing/support messages when enabled. | Mailgun key/domain, DNS, delivery tests, and inbox routing evidence remain tracked under P0-07. |
Current Limitations To Disclose
- The 2026-04-26 readiness audit verdict remains not ready for first paying customers until blocked P0 evidence closes.
- Production-like off-host backup restore proof is not complete.
- Final custom-domain, live Stripe, Mailgun delivery, and inbox validation evidence are not complete.
- Continuous external monitoring, alert routing, and delivered test-alert evidence are not complete.
- Founder or qualified German counsel sign-off is still required for the legal posture.
- P1-11 threat-model and external attack-surface review evidence exists, but it is not a penetration test, formal third-party audit, certification, or SOC 2/ISO 27001 assurance report.
- No MFA, SSO/SAML, SCIM, SOC 2 report, ISO 27001 certification, NIS2/KRITIS compliance claim, external penetration-test report, named pilot proof, insurance binder, or insurance certificate is available in this pack. P1-10 records the current insurance decision and search archive.
Procurement, privacy, and controller questions: legal@ochroni.com
Security questionnaires and responsible disclosure: security@ochroni.com
Start from the public Security Overview and Legal Center for linked source documents.