Where we stand today, where we're going, and who to talk to. The decision-maker view of /privacy-design — same architecture, framed for the people signing off.
One row for each framework that matters to a procurement review, with the real status — not a logo wall. “In progress” means in progress; “delegated” means a named vendor carries that scope.
| Framework | Status | Scope | Notes |
|---|---|---|---|
| SOC 2 Type II | in progress | Security, Confidentiality, Privacy | Audit partner published on this page at kick-off. First report by end of 2026 — executive summary public, full report under NDA. |
| GDPR (EU) | honored globally | Data subject rights | Access, rectification, erasure, and portability — email security@useagent.now. Applied globally, not just for EU residents. |
| CCPA (California) | honored globally | Consumer privacy rights | Same rights as GDPR, applied globally. No sale or sharing to opt out of — we do not sell or share. |
| PCI DSS | delegated | Card data handling | Stripe is the card processor. useagent.now never stores Primary Account Numbers or full card details on its own infrastructure. |
A hard geo-gate would help no one whose work crosses borders, and would become a product tax on every future change. Here is the map procurement asks for. The extended version with replicas and notes sits on the privacy design page.
Account security is a series of narrow decisions. Each of the four controls is one decision. The three items on the right are the same kind of decision — made against adding them.
When something breaks, these four deadlines govern what we do and when. They are not aspirational — missing one is itself an incident.
The affected data flow is frozen. An internal war room opens. The clock on the rest of the ladder starts here.
Email from security@useagent.now with the scope, the impact, and what the user needs to do. Nothing dressed up, nothing buried.
One page per incident. Dated, signed, permanent. Linked from the changelog and the transparency report.
Root cause, contributing factors, fix, and a concrete preventive action. Posted on /status alongside the incident page.
Published every quarter. Covers the last three months of incidents and whether the four clocks above were hit, plus data subject request volume and supply transparency metrics. No quarter is skipped — an empty quarter is reported empty.
One inbox, one clock. The rules below are the contract between the researcher and the engineering team — nothing hidden behind a form.
We don't run a cash bounty program. Paying for vulnerabilities invites noise and sets incentives we're not ready to manage well.
Confirmed reports get a permanent credit on the acknowledgments page and a package of useagent.now swag. Researchers keep full attribution.
Use the address that matches the request. Everything lands with a human on the engineering, legal, or commercial side — not a shared queue that fans out.
Vulnerabilities, incident reports, and anything that needs the engineering team at 3am. 48h acknowledgment SLA.
DPA requests, sub-processor list, law enforcement process, subpoena intake.
Full SOC 2 report under NDA once published, custom DPAs, and procurement packets.
This page is for the people signing off. The data flow, the three boundaries where content is touched, and the full persistence list live on the privacy design page — same architecture, different audience.