Privacy Policy.

This Privacy Policy describes how Orygn LLC (“Orygn,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with the DiligenceDesk service (the “Service”), available at diligencedesk.orygn.tech. Orygn is the data controller for purposes of the EU and UK General Data Protection Regulations.

This Policy is incorporated into and forms part of the DiligenceDesk Terms of Service. By using the Service you agree to the practices described in this Policy.

DiligenceDesk is engineered so that the data most likely to be sensitive (which vendors you searched, in what order, with what notes) never reaches Orygn's servers. The audit you run loads in your browser, queries federal data sources through a stateless serverless function, and renders the result in your browser. The query history is then stored in your browser's local storage, session storage, or IndexedDB, depending on the feature, and remains under your local control.

Earlier versions of this page used the term “zero-knowledge” for this design. We now use “local-first” instead, because “zero-knowledge” has a specific cryptographic meaning the Service does not satisfy. Local-first describes the actual property: the canonical record of your activity lives on your device, not ours.

In your browser

Audit history, saved reports, watchlists, UI preferences. Cleared when you clear your browser storage. Not synchronized to Orygn.

On Orygn-controlled infrastructure

Federal-source response cache (Vercel KV, up to 24h, keyed by the queried entity). Standard hosting and security logs from Vercel and Cloudflare, including IP address and user-agent (typical platform retention). No persistent record of which user searched which entity.

In transit

TLS 1.2 / 1.3 with HSTS. Federal API requests are made server-side from a Vercel function so federal API keys never reach the browser.

Network telemetry

IP address, user-agent string, TLS handshake metadata, request method and path. Used by Vercel and Cloudflare to deliver the Service, prevent abuse, and protect against denial-of-service attacks.

Cloudflare Turnstile interaction

When a Turnstile challenge runs (typically on the first audit of a session), Cloudflare evaluates browser and hardware-environment signals to distinguish humans from automated scripts. This interaction is governed by Cloudflare's privacy policy. Orygn receives only a verification result, not the underlying signals.

Search input

The legal name, UEI, or CAGE code you submit. Sent to upstream federal APIs and cached server-side for up to 24 hours, keyed by query, to reduce upstream load. Not associated with your IP address in the cache.

Correspondence

If you contact Orygn by email, we retain your message and contact details for the time needed to respond, comply with legal obligations, and maintain support records.

Orygn does not knowingly collect government-issued identifiers, payment information, biometric data, precise geolocation, or special-category personal data. The Service has no advertising network and no cross-site behavioral tracking.

• Directly from you. Search inputs you submit and any correspondence you send.
• Automatically from your browser. Network telemetry as described in Section 3.
• From third-party providers acting on our behalf. Cloudflare (Turnstile result, edge security signals), Vercel (request logs).
• From public federal data sources. Federal data records returned by the Service are obtained from the originating agency or its public API.

• To deliver the Service: route your request to the right federal source, return a verdict, render an audit report.
• To protect the Service: detect and prevent abuse, denial-of-service attempts, scraping, and unauthorized access.
• To maintain the Service: error monitoring, performance analysis, debugging, capacity planning.
• To respond to your inquiries when you contact us.
• To comply with legal obligations, including responding to lawful requests from public authorities.

Orygn does not use your information for advertising, profile-building, or any purpose that requires individual identification beyond what is necessary to deliver and protect the Service.

• Contract performance (Article 6(1)(b)): processing necessary to deliver the Service you have requested.
• Legitimate interests (Article 6(1)(f)): processing necessary for security, fraud prevention, abuse mitigation, and Service improvement, balanced against your rights and freedoms.
• Legal obligation (Article 6(1)(c)): processing necessary to comply with applicable law.
• Consent (Article 6(1)(a)): where consent is required by law (for example, certain cookies), Orygn relies on consent and you may withdraw it at any time.

Orygn does not sell personal information and does not share personal information for cross-context behavioral advertising. We disclose information only in the following circumstances:

• To service providers (data processors). Vercel (hosting and edge functions), Cloudflare (security and Turnstile), and Upstash / Vercel KV (cache state). These providers process information only on Orygn's instructions and for the purpose of delivering the Service.
• To upstream federal data sources. Search inputs are forwarded to the relevant federal API to retrieve the requested public data.
• To comply with law. Orygn may disclose information when required by valid legal process or to protect the rights, property, or safety of Orygn, the Service, our users, or the public.
• In a corporate transaction. If Orygn is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction.

The Service displays records about business entities, federal contractors, and other organizations that the United States Government publishes through SAM.gov, data.dol.gov, OSHA enforcement databases, the ITA Consolidated Screening List, USAspending.gov, SEC EDGAR, GLEIF, and the NIST National Vulnerability Database. Orygn does not own, create, or control that source data. If you believe a federal record about you or your organization is inaccurate, the correction must be made through the originating federal agency. Orygn cannot edit federal records on your behalf.

Local browser storage

Persists until you clear it. Orygn cannot read, audit, or delete it remotely.

Federal-source cache (Vercel KV)

Up to 24 hours per query, then evicted. Keyed by query, not by user.

Vercel and Cloudflare logs

Standard platform retention (typically 30 days for request logs, longer for security telemetry). Governed by the providers' policies.

Email correspondence

Retained as long as needed to respond and to maintain support records, then deleted on a routine cadence.

The Service uses a small number of strictly necessary cookies and browser-storage mechanisms:

• Cloudflare Turnstile cookies for the bot-mitigation challenge. Required to use the Service.
• Session and HMAC cookies set by the audit endpoint to support replay-protection and rate-limit accounting. Required to use the Service.
• Local storage and IndexedDB to persist your audit history, watchlists, and preferences in your browser. Optional; clearing your browser storage removes them.

The Service does not use third-party advertising cookies or cross-site tracking pixels.

Orygn implements technical and organizational measures appropriate to the risk, including TLS 1.2 / 1.3 in transit, HTTP Strict Transport Security, a Content Security Policy, server-side validation of Cloudflare Turnstile tokens, HMAC-signed session cookies, rate limiting, and replay protection. Orygn does not store federal API keys client-side; all upstream calls run from a stateless serverless function.

No system on the public internet is perfectly secure. If Orygn becomes aware of a security incident affecting Service users, Orygn will notify affected users in accordance with applicable law.

The Service is hosted in the United States. If you access the Service from outside the United States, you understand that information processed in connection with your use of the Service may be transferred to and processed in the United States, where data-protection laws may differ from those of your jurisdiction. For users in the European Economic Area, the United Kingdom, or Switzerland, transfers occur on the basis of legitimate interests in delivering the requested Service and, where applicable, on the basis of standard contractual clauses with our processors.

Depending on your jurisdiction, you may have the right to:

• Request access to the personal information Orygn holds about you.
• Request correction of inaccurate personal information.
• Request deletion of personal information, subject to legal exceptions.
• Object to or restrict certain processing.
• Data portability (where applicable).
• Withdraw consent where processing is based on consent.
• Lodge a complaint with the data-protection authority in your jurisdiction.

Because the Service does not require accounts, the personal information Orygn directly holds about most users is limited to what is described in Section 3. To exercise a right, contact Orygn at the address in Section 18. Orygn will respond within the time required by applicable law.

California residents have the rights described in Section 13, plus the right to know the categories of personal information collected, sources, business or commercial purposes, and categories of third parties with whom information is shared. Those disclosures are provided in Sections 3, 4, 5, and 7.

Orygn does not “sell” or “share” personal information as those terms are defined in the CCPA / CPRA. Orygn does not use or disclose sensitive personal information for purposes that would require a separate right to limit. California residents may submit requests by emailing the contact in Section 18. Orygn will not discriminate against any consumer for exercising a CCPA / CPRA right.

The Service does not change behavior in response to a Do Not Track signal because the Service does not engage in cross-site tracking. The Service honors the Global Privacy Control signal as a valid request to opt out of any “sale” or “share” of personal information under California law. Orygn does not currently sell or share personal information regardless.

The Service is not directed to children under 18 and Orygn does not knowingly collect personal information from children under 13. The Service deals with federal contractor records and is intended for use by adults in a business or research context. If Orygn becomes aware that a child under 13 has provided personal information, Orygn will delete it. Compliance with the Children's Online Privacy Protection Act (COPPA) is taken seriously.

Orygn may update this Privacy Policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Material changes will be highlighted in the page and, where required by law, notified to users through a more prominent mechanism. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Policy.

For privacy questions, requests under Section 13 or Section 14, or any other inquiry, contact: