Privacy Policy

This Privacy Policy explains how ORYGN LLC ("ORYGN," "we," "us") collects, uses, discloses, and protects information in connection with Vendor Access Vault, including the marketing website, the authenticated application, and related pages (collectively, the "Service").

Vendor Access Vault is an account-based service that lets teams store vendor credentials, route access through approval workflows, and keep a structured audit trail. Using the Service requires creating an account.

We collect or process the following categories of information:

Account information. When you sign up we collect your name, email address, and a password (which we store only as a bcrypt hash, never in plaintext). If you sign in with Google, we receive your email address, name, and Google account identifier from Google; we do not receive your Google password.

Two-factor authentication data. If you enable TOTP two-factor authentication, we store your TOTP secret encrypted with AES-256-GCM, and we store SHA-256 hashes of any backup codes you generate.

Organization and membership data. The organizations you create or join, the role you have in each (owner, admin, viewer), invitations you send or receive, and your team-member relationships.

Vendor and credential metadata. The vendors you add (name, category, website, contact info, criticality, compliance and data-access tags, owner, renewal date, notes), the credentials you attach (name, type, environment, rotation period, timestamps), and access requests (justification, duration, status, comments).

Encrypted credential values. Credential secrets you store are encrypted with AES-256-GCM using a per-credential initialization vector. The 32-byte encryption key is held in our server environment and is never shipped to the browser. We see ciphertext, not your secrets, in normal operation.

Audit log. Every meaningful action (credential creates, reveals, rotations, deletions; access request transitions; sign-ins and sign-outs; offboardings) is recorded in an append-only audit log with the actor, the resource, an action timestamp, the requesting IP address, and the user-agent string.

Device, browser, and request data. Like most internet services, our infrastructure providers automatically receive technical request data when you visit the Service, such as IP address, browser type, device information, and timestamps.

Communications. If you contact us directly we will receive your name, email address, and the contents of your message.

We use information we collect or process to:

Provide, operate, secure, and maintain the Service.

Authenticate you, manage your sessions, and enforce the role permissions in your organizations.

Encrypt, store, retrieve, and decrypt credentials when an authorized user with active access requests them.

Send transactional email like verification links, password resets, security notifications, invitations, access-request decisions, and rotation reminders.

Maintain the audit log and produce CSV exports when an admin requests one.

Monitor availability, diagnose technical issues, prevent abuse, and protect the Service.

Comply with legal obligations and enforce our rights.

If EEA, UK, or similar data protection laws apply to you, we generally process personal information on one or more of the following bases: performance of the contract you enter into when you create an account, compliance with legal obligations, and our legitimate interests in operating, securing, improving, and protecting the Service and its users.

Where consent is required for a particular activity, we will rely on consent to the extent required by applicable law.

Account, organization, vendor, and audit data is stored in a managed PostgreSQL database operated by our infrastructure provider. The provider operates encryption at rest at the storage layer and TLS in transit between application and database.

Credential secret values receive an additional layer of application- level encryption using AES-256-GCM with a fresh 12-byte initialization vector per credential and an authenticated 16-byte tag stored alongside the ciphertext. The 32-byte symmetric key is held only in our server-side runtime environment and is not present in any client-shipped JavaScript bundle.

List queries that return credential metadata explicitly exclude the encrypted columns from the database response. Plaintext is only materialized server-side at the moment a user with active authorized access explicitly requests a reveal, and every such reveal is recorded in the audit log.

We use third-party service providers to host, secure, and deliver the Service. We share with these providers only the information they need to perform the function we have engaged them for, and they are subject to their own privacy practices and contractual obligations.

Hosting and database. Vercel Inc. (web hosting and serverless function execution) and Neon Inc. (managed PostgreSQL).

Email delivery. Resend, Inc. (transactional email delivery for verification links, password resets, invitations, and access-request notifications).

Bot protection. Cloudflare, Inc. (Turnstile bot challenge on signup and password reset; technical request data may be processed by Cloudflare to verify human visitors).

Authentication. Google LLC (only if you choose to sign in with Google; Google receives an OAuth request from us and returns your email, name, and Google account identifier).

Legal compliance and protection. We may disclose information if we believe disclosure is reasonably necessary to comply with law, regulation, legal process, or governmental request, or to protect the rights, safety, security, and integrity of ORYGN, the Service, our users, or others.

Business transactions. We may disclose information in connection with a merger, financing, acquisition, reorganization, sale of assets, or similar corporate event.

With your direction. We may disclose information when you ask us to do so or when the disclosure is inherent in a feature you choose to use (for example, sending an invitation email to a teammate or exporting an audit log to CSV).

We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

The Service uses cookies that are necessary for authentication (session cookies set by Auth.js), security, and basic functionality. We may also use local storage for theme and interface preferences.

We do not use the Service to sell personal information or to engage in cross-context behavioral advertising. We do not place advertising cookies.

Because there is no universally accepted standard for browser "Do Not Track" signals, the Service does not currently respond differently to such signals.

Account, organization, vendor, and credential records are retained for the lifetime of your organization. Audit log entries are retained for up to 365 days, then automatically purged on a daily sweep. The retention window can be adjusted by the operator via the AUDIT_LOG_RETENTION_DAYS environment variable.

Verification tokens, password-reset tokens, email-change tokens, and access requests have built-in expiry. Expired tokens are purged on a daily cadence.

You can delete your account from the Account page. Deletion is scheduled with a 7-day grace period during which a single email link can cancel it. After the grace period, your profile, credentials, two-factor settings, and organization memberships are permanently removed. Vendors, credentials, access requests, and comments you authored remain with their organization (your name is removed from them) so other members can keep working. Account deletion is blocked while you are the sole owner of any organization. Transfer ownership or delete the organization first.

If you delete an organization (owner action), associated records are removed via cascade.

Technical logs and operational records maintained by us or our providers may be retained for as long as reasonably necessary to operate, secure, troubleshoot, and protect the Service, to comply with law, and to resolve disputes.

We use commercially reasonable measures designed to protect information under our control, including AES-256-GCM application- layer encryption for credential secrets, bcrypt password hashing, short-lived authentication tokens, role-based access controls, an append-only audit log with IP and user-agent capture, Cloudflare Turnstile bot protection on credential-creation paths, and TLS in transit.

However, no security measure is perfect, and we cannot guarantee absolute security. You are responsible for protecting your account credentials, enabling two-factor authentication, and using the principle of least privilege when granting roles within your organization.

Depending on where you live, you may have rights to request access to, correction of, deletion of, portability of, or additional information about personal information we maintain about you.

You can exercise these rights directly in the Service:

• Access and portability:from the Account page, click “Download my data” to receive a structured JSON copy of every piece of personal data we hold about your account (profile, OAuth links, organization memberships, vendors and credentials you authored, access requests and comments, audit log entries you are the actor on). Excludes secrets you already hold (your password, two-factor secret, backup codes) and credential plaintexts that belong to your organization.
• Correction: update your name, email address, and password from the Account page.
• Deletion:from the Account page, click “Delete my account”. Deletion is scheduled with a 7-day grace window during which a single email link can cancel it. After the grace period, your profile, sign-in credentials, two-factor settings, and organization memberships are permanently removed. Vendors, credentials, and other content you authored remain with their organization with your name removed. Deletion is blocked while you are the sole owner of an organization.
• Audit log download (admins): the audit log for your organization can be exported as CSV from the Audit page.
• Leave an organization: non-owners can leave at any time; owners can transfer ownership and then leave or delete the organization.

For any other request, contact us at the email below and we will respond as required by applicable law.

California residents may have rights under California privacy law, including rights to know, delete, and correct certain personal information, and the right not to be discriminated against for exercising those rights. We do not sell personal information and do not share personal information for cross-context behavioral advertising.

Residents of the EEA, UK, and similar jurisdictions may have rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, objection, and portability, subject to legal limitations.

The Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact us and we will take appropriate steps.

ORYGN is based in the United States, and our infrastructure providers operate from the United States. If you access the Service from outside the United States, your information will be processed in the United States or other jurisdictions where we or our service providers operate.

We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date on this page and may provide additional notice where appropriate, such as an in-app banner or an email to account owners.

If you have questions about this Privacy Policy or our data practices, please contact:

ORYGN LLC

Email: [email protected]