OrynIQ is a SaaS platform for ServiceNow governance, platform health analysis, and AI-assisted remediation. It connects to your ServiceNow instance via OAuth 2.0 to perform automated health checks, CMDB diagnostics, and continuous monitoring.
OrynIQ is operated by Logan Poynter LLC and hosted on Microsoft Azure. Customers access the platform via a web browser. No software is installed in your environment.
| Data | Purpose | Stored |
|---|---|---|
| First and last name | Authentication, notifications, account record | Yes, OrynIQ database |
| Email address | Authentication, notifications, magic-link delivery | Yes, OrynIQ database |
| Phone number (provided at signup) | Account verification and abuse prevention | Yes, OrynIQ database (E.164 format) |
| Company name (provided at signup) | Account record | Yes, OrynIQ database |
| Stripe customer and subscription identifiers | Payment processing, subscription management | Yes, OrynIQ database (no card numbers) |
| Role and permissions | Access control | Yes, OrynIQ database |
| Last login timestamp | Session management, audit trail | Yes, OrynIQ database |
| Hashed password | Authentication (bcrypt, never plaintext) | Yes, OrynIQ database |
| IP address, browser user agent | Audit logging, anomaly detection | Yes, OrynIQ database |
| Data | Protection | Stored |
|---|---|---|
| OAuth Client ID | Encrypted at rest (AES-256-GCM) | Yes |
| OAuth Client Secret | Encrypted at rest (AES-256-GCM) | Yes |
| Access Token / Refresh Token | Encrypted at rest (AES-256-GCM) | Yes |
Credentials are never logged and are decrypted only in memory at the moment of an API call to your ServiceNow instance. The encryption key is stored separately from the database.
Payment card data is handled exclusively by Stripe. OrynIQ does not store card numbers, CVCs, full PANs, or magnetic stripe data. We retain only the Stripe customer and subscription identifiers needed to reconcile billing events.
OrynIQ queries your ServiceNow instance via its REST API using the OAuth credentials you provide. Data read may include:
Subsets of this data (finding details and sample records that evidence a health check result) are stored in the OrynIQ database to support reporting and trend analysis. Raw bulk data is not retained beyond what is needed to generate and support a finding.
We use the information collected at signup and during the lifetime of your subscription for the following purposes:
| Data | Purpose |
|---|---|
| Chat messages submitted to the Oryn AI agent | Passed to Anthropic Claude API to generate responses |
| Agent-surfaced findings and remediation proposals | Stored in OrynIQ database for customer review |
| Token counts per session | Internal usage tracking |
| Layer | Method |
|---|---|
| Passwords at rest | bcrypt with per-user salt |
| ServiceNow OAuth credentials at rest | AES-256-GCM |
| Data in transit | TLS 1.2+ enforced for all connections |
| Session tokens | Signed JWT, stored in httpOnly, Secure, SameSite=Lax cookies |
All customer data is isolated by customer_id at the application and database query level. No customer can access another customer's data through the application.
| Data Category | Retention |
|---|---|
| User accounts | Retained until deleted by a customer administrator |
| ServiceNow credentials | Retained until the connection is removed |
| Scan findings and reports | Retained for the duration of the engagement; deleted on tenant offboarding |
| 30-day Trial customer records | Retained through the 30-day trial window plus a 30-day grace period after expiry, then hard-deleted unless converted to a paid subscription |
| Abandoned Foundation signups (no payment) | Retained 7 days after signup, then hard-deleted if checkout is not completed |
| Foundation / Professional subscription data | Retained for the duration of the active subscription plus 90 days after cancellation, then deleted unless legal retention obligations apply |
| Audit and activity logs | Immutable; retained for a minimum of 12 months |
| User invite tokens | 48 hours from issuance |
| Signup magic-link tokens | 24 hours from issuance; cleared on first password set |
| AI session history | Retained for the duration of the engagement |
| Stripe payment records | Retained by Stripe independently for tax and regulatory compliance per Stripe's privacy policy |
Customers may request full tenant data deletion at any time. Deletion is completed within 30 days of a confirmed written request.
OrynIQ uses the Anthropic Claude API to power the Oryn AI investigation agent. During an AI session, user chat messages and relevant ServiceNow data surfaced by the agent are sent to Anthropic's API to generate responses.
OrynIQ uses Resend to deliver system emails such as user invite notifications. No marketing or promotional email is sent. Resend's privacy policy applies to email delivery metadata.
All traffic to OrynIQ passes through Cloudflare for SSL termination, DDoS protection, and WAF filtering. Cloudflare's privacy policy applies to traffic metadata at the network layer.
OrynIQ uses Stripe, Inc. as its payment processor for one-time fees, subscription billing, invoicing, refund processing, and dispute handling. Stripe is a PCI-DSS Level 1 service provider and handles card data exclusively. OrynIQ never stores, processes, or transmits raw card numbers.
| Subprocessor | Purpose | Data shared | Region |
|---|---|---|---|
| Stripe, Inc. | Payment processing & subscription management | Email, name, billing address, payment method, transactions | US |
Stripe Checkout sets cookies on the checkout.stripe.com domain to facilitate fraud detection and payment session continuity. These cookies are first-party to Stripe and are not set by OrynIQ. Stripe's privacy policy and data processing addendum apply.
Stripe retains payment records independently for tax and regulatory compliance per their privacy policy, distinct from OrynIQ's customer-data retention windows.
OrynIQ uses PostHog to understand how the platform is used so we can prioritize improvements. Analytics are collected on both the marketing site (oryniq.com) and the authenticated app (app.oryniq.com), and are only enabled after you grant consent via the cookie banner. Rejecting consent stops all PostHog activity. No events, no cookies, no session recordings.
/agent/*), authentication (/auth/*), and billing (/billing/*) routes| Subprocessor | Purpose | Data shared | Region |
|---|---|---|---|
| PostHog Inc. | Product analytics + session replay (consent-gated) | Pageviews, custom events, internal user ID, role, plan tier, org ID | US (us.i.posthog.com) |
PostHog sets ph_* cookies (distinct ID + session ID) on .oryniq.com. These cookies are only set after consent is granted and let us link a marketing-site visit to a subsequent app session for funnel analysis. PostHog's privacy policy and data processing addendum apply. Standard Contractual Clauses cover EU-to-US transfer for users in the EU/UK.
You can revoke consent at any time from Settings → Privacy in the app. Revocation immediately stops collection, clears the ph_* cookies, and aborts any in-flight session recording.
Data deletion: see privacy@oryniq.com. Analytics deletion is handled per the runbook documented in docs/runbooks/dsar-analytics-deletion.md.
| Role | Access Level |
|---|---|
global_admin | Full platform access (Logan Poynter LLC operations only) |
customer_admin | Full access within their tenant |
customer_user | Read/write access within their tenant |
customer_viewer | Read-only access within their tenant |
Logan Poynter LLC personnel do not access customer tenant data except as required for support activities explicitly requested by the customer, and only for the duration necessary to resolve the issue.
Sessions use a sliding 1-hour inactivity window. Tokens are renewed on each authenticated API call within the active window. Session cookies are httpOnly, Secure, and SameSite=Lax.
OrynIQ's AI agent can propose field-level changes to your ServiceNow instance as part of remediation guidance. These proposals:
All user and system actions are written to an immutable activity log. Each entry records:
Audit logs cannot be modified or deleted through the application. Minimum retention is 12 months.
As a customer, you can:
To exercise any of the above rights as a data subject (not just a customer), use the Privacy Requests form. We respond to verified requests within 30 days.
OrynIQ has no establishment in the EU or UK. Under Article 27 GDPR and the equivalent UK GDPR provision, OrynIQ has appointed GDPRLocal as its representative:
You may direct GDPR/UK GDPR inquiries to the appropriate representative above, or to OrynIQ directly at privacy@oryniq.com.
Right to lodge a complaint. If you are a data subject in the EU or UK, you have the right to lodge a complaint with your local supervisory authority at any time — most directly the Irish Data Protection Commission (EU) or the UK Information Commissioner's Office (UK), or the supervisory authority of your own habitual residence, place of work, or place of the alleged infringement. This right exists independently of, and is not limited by, any point of contact named on this page.
| Area | Status |
|---|---|
| GDPR (EU/UK) | Self-attested compliance. Attestation pack complete: GDPR Compliance Policy, Data Processing Agreement with SCC Module 2 Annex, Data Protection Impact Assessment, DPO Determination Memo, Data Breach Policy, GDPR Request Handling Process, and Article 30 Records of Processing Activities. Article 27 EU/UK representative appointed (GDPRLocal) — see §9b below. EU/UK customers should contact us to review our DPA before contracting. |
| CCPA | Supported. No sale of personal data; deletion requests honored. |
| PIPEDA (Canada) + provincial equivalents (Quebec Law 25, Alberta PIPA, British Columbia PIPA) | Supported. Personal data of Canadian residents processed in alignment with PIPEDA; cross-border transfer to Azure East US disclosed; DPA covers Canadian controllers |
| SOC 2 Type II | In progress, targeted for 2026 |
| Data Processing Agreement (DPA) | Available on request |
| Penetration testing | Planned ahead of SOC 2 audit |
OrynIQ is designed for deployment in regulated environments including financial services. Customers in regulated industries are encouraged to contact us to review specific control requirements.
OrynIQ processes personal information of Canadian individuals in alignment with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial equivalents, including Quebec Law 25, Alberta PIPA, and British Columbia PIPA.
Cross-border transfers. Customer data is hosted on Microsoft Azure infrastructure in the East US region (United States). Processing by sub-processors (Microsoft Azure, Anthropic, Stripe, Resend, Cloudflare, PostHog) also occurs in the United States. OrynIQ remains contractually accountable for personal data transferred to sub-processors and binds each sub-processor to comparable protection via the Data Processing Agreement.
Controllers subject to Quebec Law 25 are responsible for any privacy impact assessment that may be required prior to cross-border transfer. OrynIQ will provide reasonable information to support that assessment on request. Contact privacy@oryniq.com.
For data handling inquiries, deletion requests, or DPA requests:
Email: privacy@oryniq.com
For security incidents, vulnerability disclosure, or other security concerns:
Email: security@oryniq.com
Company: Logan Poynter LLC (OrynIQ)
We target a response to privacy and security inquiries within 2 business days.
This document is reviewed and updated as the platform evolves. Version 1.2, effective May 2026.