Privacy & Data Handling

Version: 1.0 Effective: March 2026 Contact: hello@loganpoynter.dev

1. Overview

OrynIQ is a SaaS platform for ServiceNow governance, platform health analysis, and AI-assisted remediation. It connects to your ServiceNow instance via OAuth 2.0 to perform automated health checks, CMDB diagnostics, and continuous monitoring.

OrynIQ is operated by Logan Poynter LLC and hosted on Microsoft Azure. Customers access the platform via a web browser — no software is installed in your environment.

2. What Data We Process

2.1 Account & User Data

DataPurposeStored
Name, email addressAuthentication, notificationsYes — OrynIQ database
Role and permissionsAccess controlYes — OrynIQ database
Last login timestampSession management, audit trailYes — OrynIQ database
Hashed passwordAuthentication (bcrypt, never plaintext)Yes — OrynIQ database
IP address, browser user agentAudit logging, anomaly detectionYes — OrynIQ database

2.2 ServiceNow Connection Credentials

DataProtectionStored
OAuth Client IDEncrypted at rest (AES-256-GCM)Yes
OAuth Client SecretEncrypted at rest (AES-256-GCM)Yes
Access Token / Refresh TokenEncrypted at rest (AES-256-GCM)Yes

Credentials are never logged and are decrypted only in memory at the moment of an API call to your ServiceNow instance. The encryption key is stored separately from the database.

2.3 ServiceNow Instance Data

OrynIQ queries your ServiceNow instance via its REST API using the OAuth credentials you provide. Data read may include:

  • CMDB records — Configuration Items, relationships, ownership and lifecycle fields
  • ITSM records — Incidents, changes, problems, and service requests (metadata and field values)
  • User and role data — User accounts, roles, groups, and ACLs (used for access governance checks)
  • Schema data — Custom tables, fields, and update sets (schema health and upgrade risk analysis)
  • Script and automation data — Business Rules, Script Includes, and Flow Designer flows
  • Asset and license data — Hardware assets and subscription records

Subsets of this data — finding details and sample records that evidence a health check result — are stored in the OrynIQ database to support reporting and trend analysis. Raw bulk data is not retained beyond what is needed to generate and support a finding.

2.4 AI Interaction Data

DataPurpose
Chat messages submitted to the Oryn AI agentPassed to Anthropic Claude API to generate responses
Agent-surfaced findings and remediation proposalsStored in OrynIQ database for consultant review
Token counts per sessionInternal usage tracking

3. How We Store Data

3.1 Infrastructure

  • Hosting — Microsoft Azure (Ubuntu 22.04 LTS VM), operated and maintained by Logan Poynter LLC. Customers access the platform via a web browser — no infrastructure is deployed in your environment.
  • Database — PostgreSQL 15, deployed in Docker on the same dedicated VM, not accessible from the public internet. The database port is bound to localhost only.
  • Edge — Cloudflare is used for SSL termination, DDoS mitigation, and WAF protection.
  • Backups — Azure disk snapshots are taken on a regular schedule. Point-in-time database recovery is available on request.

3.2 Encryption

LayerMethod
Passwords at restbcrypt with per-user salt
ServiceNow OAuth credentials at restAES-256-GCM
Data in transitTLS 1.2+ enforced for all connections
Session tokensSigned JWT, stored in httpOnly, Secure, SameSite=Lax cookies

3.3 Multi-Tenant Isolation

All customer data is isolated by customer_id at the application and database query level. No customer can access another customer's data through the application.

4. Data Retention

Data CategoryRetention
User accountsRetained until deleted by a customer administrator
ServiceNow credentialsRetained until the connection is removed
Scan findings and reportsRetained for the duration of the engagement; deleted on tenant offboarding
Audit and activity logsImmutable; retained for a minimum of 12 months
User invite tokens48 hours from issuance
AI session historyRetained for the duration of the engagement

Customers may request full tenant data deletion at any time. Deletion is completed within 30 days of a confirmed written request.

5. Third-Party Services

5.1 Anthropic (Claude AI)

OrynIQ uses the Anthropic Claude API to power the Oryn AI investigation agent. During an AI session, user chat messages and relevant ServiceNow data surfaced by the agent are sent to Anthropic's API to generate responses.

  • Anthropic does not use API inputs or outputs to train its models by default
  • Anthropic's usage policy and privacy policy apply
  • Token usage (not content) is logged locally for internal cost tracking
  • AI features can be disabled per customer if required

5.2 Resend (Transactional Email)

OrynIQ uses Resend to deliver system emails such as user invite notifications. No marketing or promotional email is sent. Resend's privacy policy applies to email delivery metadata.

5.3 Cloudflare

All traffic to OrynIQ passes through Cloudflare for SSL termination, DDoS protection, and WAF filtering. Cloudflare's privacy policy applies to traffic metadata at the network layer.

6. Access Controls

6.1 Role-Based Access

RoleAccess Level
global_adminFull platform access — Logan Poynter LLC operations only
customer_adminFull access within their tenant
customer_userRead/write access within their tenant
customer_viewerRead-only access within their tenant

6.2 Operator Access

Logan Poynter LLC personnel do not access customer tenant data except as required for support activities explicitly requested by the customer, and only for the duration necessary to resolve the issue.

6.3 Session Security

Sessions use a sliding 1-hour inactivity window. Tokens are renewed on each authenticated API call within the active window. Session cookies are httpOnly, Secure, and SameSite=Lax.

7. AI-Proposed Remediation

OrynIQ's AI agent can propose field-level changes to your ServiceNow instance as part of remediation guidance. These proposals:

  • Are never applied automatically — every proposal requires explicit human review and approval before any write-back is executed
  • Are recorded in the platform's audit log with the proposal content, reviewing user, timestamp, and outcome
  • Can be reviewed, approved, or rejected individually in the OrynIQ UI
No changes are made to your ServiceNow instance without a deliberate, logged approval action by an authorized user.

8. Audit Logging

All user and system actions are written to an immutable activity log. Each entry records:

  • Event type and severity
  • User identity (ID and email)
  • Timestamp (UTC)
  • IP address and browser user agent
  • Entity affected (type and ID)
  • Change detail where applicable

Audit logs cannot be modified or deleted through the application. Minimum retention is 12 months.

9. Your Rights & Controls

As a customer, you can:

  • Export findings, scan data, and reports at any time (CSV, Excel, PDF)
  • Remove ServiceNow connections, which immediately invalidates stored credentials
  • Delete users and engagement data via the admin interface
  • Request full data deletion — submit a request to hello@loganpoynter.dev and all tenant data will be purged within 30 days
  • Review all platform activity via the audit log

10. Compliance Posture

AreaStatus
GDPRSupported — data deletion on request, audit trail, no third-party data sales, DPA available
CCPASupported — no sale of personal data, deletion requests honored
SOC 2 Type IIn progress — targeted for 2026
Data Processing Agreement (DPA)Available on request
Penetration testingPlanned ahead of SOC 2 audit

OrynIQ is designed for deployment in regulated environments including financial services. Customers in regulated industries are encouraged to contact us to review specific control requirements.

11. What We Don't Do

  • We do not sell or share your data with third parties for any purpose other than service delivery
  • We do not use your ServiceNow data to train AI models
  • We do not send marketing communications
  • We do not store plaintext credentials at any point
  • We do not make changes to your ServiceNow instance without explicit human approval

12. Contact

For data handling inquiries, deletion requests, DPA requests, or security concerns:

Email: hello@loganpoynter.dev

Company: Logan Poynter LLC (OrynIQ)

We target a response to security-related inquiries within 2 business days.

This document is reviewed and updated as the platform evolves. Version 1.0 — effective March 2026.