OrynIQ is a SaaS platform for ServiceNow governance, platform health analysis, and AI-assisted remediation. It connects to your ServiceNow instance via OAuth 2.0 to perform automated health checks, CMDB diagnostics, and continuous monitoring.
OrynIQ is operated by Logan Poynter LLC and hosted on Microsoft Azure. Customers access the platform via a web browser — no software is installed in your environment.
| Data | Purpose | Stored |
|---|---|---|
| First and last name | Authentication, notifications, account record | Yes — OrynIQ database |
| Email address | Authentication, notifications, magic-link delivery | Yes — OrynIQ database |
| Phone number (provided at signup) | Account verification and abuse prevention | Yes — OrynIQ database (E.164 format) |
| Company name (provided at signup) | Account record | Yes — OrynIQ database |
| Stripe customer and subscription identifiers | Payment processing, subscription management | Yes — OrynIQ database (no card numbers) |
| Role and permissions | Access control | Yes — OrynIQ database |
| Last login timestamp | Session management, audit trail | Yes — OrynIQ database |
| Hashed password | Authentication (bcrypt, never plaintext) | Yes — OrynIQ database |
| IP address, browser user agent | Audit logging, anomaly detection | Yes — OrynIQ database |
| Data | Protection | Stored |
|---|---|---|
| OAuth Client ID | Encrypted at rest (AES-256-GCM) | Yes |
| OAuth Client Secret | Encrypted at rest (AES-256-GCM) | Yes |
| Access Token / Refresh Token | Encrypted at rest (AES-256-GCM) | Yes |
Credentials are never logged and are decrypted only in memory at the moment of an API call to your ServiceNow instance. The encryption key is stored separately from the database.
Payment card data is handled exclusively by Stripe. OrynIQ does not store card numbers, CVCs, full PANs, or magnetic stripe data. We retain only the Stripe customer and subscription identifiers needed to reconcile billing events.
OrynIQ queries your ServiceNow instance via its REST API using the OAuth credentials you provide. Data read may include:
Subsets of this data — finding details and sample records that evidence a health check result — are stored in the OrynIQ database to support reporting and trend analysis. Raw bulk data is not retained beyond what is needed to generate and support a finding.
We use the information collected at signup and during the lifetime of your subscription for the following purposes:
| Data | Purpose |
|---|---|
| Chat messages submitted to the Oryn AI agent | Passed to Anthropic Claude API to generate responses |
| Agent-surfaced findings and remediation proposals | Stored in OrynIQ database for customer review |
| Token counts per session | Internal usage tracking |
| Layer | Method |
|---|---|
| Passwords at rest | bcrypt with per-user salt |
| ServiceNow OAuth credentials at rest | AES-256-GCM |
| Data in transit | TLS 1.2+ enforced for all connections |
| Session tokens | Signed JWT, stored in httpOnly, Secure, SameSite=Lax cookies |
All customer data is isolated by customer_id at the application and database query level. No customer can access another customer's data through the application.
| Data Category | Retention |
|---|---|
| User accounts | Retained until deleted by a customer administrator |
| ServiceNow credentials | Retained until the connection is removed |
| Scan findings and reports | Retained for the duration of the engagement; deleted on tenant offboarding |
| Self-Assessment customer records (paid) | Retained 30 days after payment, then hard-deleted unless converted to a paid subscription |
| Self-Assessment customer records (unpaid trial) | Retained 7 days after creation, then hard-deleted if no payment is received |
| Foundation / Professional subscription data | Retained for the duration of the active subscription plus 90 days after cancellation, then deleted unless legal retention obligations apply |
| Audit and activity logs | Immutable; retained for a minimum of 12 months |
| User invite tokens | 48 hours from issuance |
| Signup magic-link tokens | 24 hours from issuance; cleared on first password set |
| AI session history | Retained for the duration of the engagement |
| Stripe payment records | Retained by Stripe independently for tax and regulatory compliance per Stripe's privacy policy |
Customers may request full tenant data deletion at any time. Deletion is completed within 30 days of a confirmed written request.
OrynIQ uses the Anthropic Claude API to power the Oryn AI investigation agent. During an AI session, user chat messages and relevant ServiceNow data surfaced by the agent are sent to Anthropic's API to generate responses.
OrynIQ uses Resend to deliver system emails such as user invite notifications. No marketing or promotional email is sent. Resend's privacy policy applies to email delivery metadata.
All traffic to OrynIQ passes through Cloudflare for SSL termination, DDoS protection, and WAF filtering. Cloudflare's privacy policy applies to traffic metadata at the network layer.
OrynIQ uses Stripe, Inc. as its payment processor for one-time fees, subscription billing, invoicing, refund processing, and dispute handling. Stripe is a PCI-DSS Level 1 service provider and handles card data exclusively — OrynIQ never stores, processes, or transmits raw card numbers.
| Subprocessor | Purpose | Data shared | Region |
|---|---|---|---|
| Stripe, Inc. | Payment processing & subscription management | Email, name, billing address, payment method, transactions | US |
Stripe Checkout sets cookies on the checkout.stripe.com domain to facilitate fraud detection and payment session continuity. These cookies are first-party to Stripe and are not set by OrynIQ. Stripe's privacy policy and data processing addendum apply.
Stripe retains payment records independently for tax and regulatory compliance per their privacy policy, distinct from OrynIQ's customer-data retention windows.
| Role | Access Level |
|---|---|
global_admin | Full platform access — Logan Poynter LLC operations only |
customer_admin | Full access within their tenant |
customer_user | Read/write access within their tenant |
customer_viewer | Read-only access within their tenant |
Logan Poynter LLC personnel do not access customer tenant data except as required for support activities explicitly requested by the customer, and only for the duration necessary to resolve the issue.
Sessions use a sliding 1-hour inactivity window. Tokens are renewed on each authenticated API call within the active window. Session cookies are httpOnly, Secure, and SameSite=Lax.
OrynIQ's AI agent can propose field-level changes to your ServiceNow instance as part of remediation guidance. These proposals:
All user and system actions are written to an immutable activity log. Each entry records:
Audit logs cannot be modified or deleted through the application. Minimum retention is 12 months.
As a customer, you can:
| Area | Status |
|---|---|
| GDPR | Supported — data deletion on request, audit trail, no third-party data sales, DPA available |
| CCPA | Supported — no sale of personal data, deletion requests honored |
| SOC 2 Type II | In progress — targeted for 2026 |
| Data Processing Agreement (DPA) | Available on request |
| Penetration testing | Planned ahead of SOC 2 audit |
OrynIQ is designed for deployment in regulated environments including financial services. Customers in regulated industries are encouraged to contact us to review specific control requirements.
For data handling inquiries, deletion requests, DPA requests, or security concerns:
Email: support@oryniq.com
Company: Logan Poynter LLC (OrynIQ)
We target a response to security-related inquiries within 2 business days.
This document is reviewed and updated as the platform evolves. Version 1.0 — effective March 2026.