Back to ORG

Legal · Security

Security practices.

We work with regulated operators — banks, gambling operators, performance-marketing agencies. The security posture below is the floor we operate above; specific engagements layer additional controls on top.

Last updated · 2026-04-26

Infrastructure

  • Cloudflare Workers— orgops.net runs on Cloudflare's global edge with TLS 1.3, automatic certificate rotation, and DDoS protection on by default.
  • Cloudflare D1 — bookings stored in an encrypted SQLite database; backups handled by Cloudflare.
  • Edge runtime only — no traditional server with persistent shell access; surface area is the deployed Worker code.

Data in transit and at rest

  • All connections to orgops.net and our APIs are forced over HTTPS with HSTS.
  • D1 storage is encrypted at rest by Cloudflare.
  • Client engagement data is stored in client-controlled environments wherever possible. ORG's working files for an engagement are kept in encrypted Google Workspace tenancies and client-shared spaces, not on local drives.

Access controls

  • Workforce access to systems is via SSO with mandatory MFA.
  • Cloudflare console access is restricted to operators on the practice and audited.
  • Production secrets are stored as Cloudflare Worker secrets — never committed to source control. The repository is continuously scanned for accidentally committed credentials.
  • Workforce devices are full-disk-encrypted, screen-locked, and managed.

Subprocessors

See the Privacy policy for the up-to-date list of subprocessors. We assess each on access scope, region, and contractual commitments before onboarding.

AI handling

  • Engagements that touch regulated data run inside the client's environment with their inference provider of choice — AI never leaves the client perimeter unless explicitly contracted.
  • We do not train models on client data. Subprocessor contracts disable training on inference inputs.
  • Every agent run is logged in the client's observability stack with prompt, tool calls, and outputs preserved for audit.

Incident response

  • Active engagements have a named incident lead at ORG and at the client.
  • For website-facing incidents, our internal SLA is to triage within 4 hours and to communicate next steps to affected parties within 24 hours.
  • Personal-data incidents that meet the GDPR threshold are reported to the relevant data-protection authority within 72 hours.

Coordinated disclosure

If you believe you have found a security vulnerability, disclose it confidentially to security@orgops.net. Please give us a reasonable window to investigate and remediate before public disclosure. We do not pursue legal action against good-faith researchers acting under this policy.

Questions?

Found a vulnerability? Disclose responsibly to security@orgops.net (PGP key on request). We acknowledge within 48 hours.