Introducing the Ochre AI support workspace. Start a 14-day trial

Requesting our security questionnaire

How to ask for our standard security questionnaire, what it covers, and how fast we typically respond.

By ChristopherUpdated 3 min read

Most B2B vendor reviews start the same way: somebody on the buyer's security team sends a 200-row spreadsheet and asks the vendor to fill it in. We have a standing answer for that spreadsheet.

How to request it

Email hello@ochrehq.com with one line: "Please send the security questionnaire." Tell us:

  • The legal name of your company.
  • Whether you have a preferred format (CAIQ, SIG-Lite, your own custom doc).
  • Whether you need an NDA in place first.

If you have your own template, attach it. We will fill it in and return it.

What it covers

Our standard questionnaire is a self-contained document. It covers:

1. Data and infrastructure

  • Where data is stored: AWS us-east-2, on Postgres via Supabase. See Where Ochre stores your data.
  • Data classification and retention.
  • Encryption at rest (AES-256 at the volume layer by Supabase / AWS) and in transit (TLS 1.3).
  • Field-level encryption for BYOK keys and OAuth tokens via OCHRE_BYOK_ENC_KEY (separate from the database service role).
  • Backup and disaster recovery posture.

2. Application security

  • Tenant isolation via Postgres row-level security. See How workspace isolation works.
  • Authentication and session management.
  • Webhook signature verification on Resend, Slack, HubSpot, Linear, GitHub, and Stripe — HMAC-SHA256 with crypto.timingSafeEqual, plus replay protection (timestamp window or delivery-id dedupe). See How Ochre verifies inbound webhooks.
  • Survey HMAC token signing with a dedicated secret (OCHRE_SURVEY_TOKEN_SECRET).
  • Input validation and OWASP coverage.
  • Dependency management and patching cadence.

3. Access controls

  • Role model in the product (owner, admin, agent, light agent). See Roles explained.
  • Production access controls for Ochre staff (short-lived credentials).
  • Onboarding and offboarding processes.
  • Key rotation: BYOK keys can be rotated by the customer at any time by re-pasting in settings.
  • No in-product audit log today. State-change history is held in application logs and provider logs (Supabase, Stripe). If audit log is a hard requirement, tell us during procurement.

4. Vendor list and sub-processors

  • Full list of sub-processors with purpose and region.
  • Data flows for each integration: Stripe, HubSpot, Slack, Linear, GitHub, Notion, GitBook, Resend, Anthropic, OpenAI.
  • DPA and SCC posture. See GDPR and your data rights.

5. Incident response

  • IR plan summary, with named roles.
  • Notification commitments (workspace owner notified without undue delay, GDPR-aligned windows).
  • How customers can report suspected issues.

6. Compliance posture

  • SOC 2: not certified, no audit currently underway. On the roadmap. See SOC 2 status.
  • No self-serve SSO / SCIM / IP allowlist. Available as a concierge for Scale customers — email hello@ochrehq.com.
  • GDPR readiness and data subject request handling (concierge via email).
  • PCI: Stripe handles cards; we do not store PAN.

7. AI-specific controls

  • BYOK and key isolation (OCHRE_BYOK_ENC_KEY).
  • What gets sent to model providers (conversation context plus retrieved KB chunks, never the whole database).
  • AI guardrails, spend caps, and confidence thresholds.
  • AI receipts and how to review what the model did.

Turnaround

Standard questionnaires typically come back within 2 to 3 business days. Long custom spreadsheets (the 400-row variety) take longer; we will tell you up front. If your timeline is hard, say so in the first email and we will prioritize.

NDA

We are happy to sign a mutual NDA before sending anything. Send your standard MNDA. If you do not have one, we have a short one we can send you.

What we cannot share

A few categories of information are not in the questionnaire:

  • Specific infrastructure secrets. Endpoint URLs of internal services, exact CIDRs, secret rotation schedules at the second-by-second level. We will describe controls without handing out the keys.
  • Other customers' data or names. We do not provide reference customers without their explicit written permission.

After you receive it

If your security team has follow-ups, send them to the same thread. We are happy to do a 30-minute architecture review call for deals where it would unblock the deal. The most common follow-ups end up being about RLS specifically (see How workspace isolation works) and webhook security (see How Ochre verifies inbound webhooks), so reading those articles before the call usually saves time.

Related

Was this article helpful?

← Back to Ochre Help
Ochre security questionnaire · Ochre