Skip to content
Om Concepts
Home
Services
Work
Resources
AboutContactBook a Strategy Call
Legal

Security

Last updated: 2026-04-13

Om Concepts is a single-operator practice. We do not have a SOC 2 report of our own, and we will not pretend otherwise. Instead, we rely on well-attested platform vendors for storage and delivery, and we apply disciplined access controls on top of them. This page describes the actual shape of that.

Transport security

omconcepts.net is served exclusively over HTTPS on a managed edge network. HTTP Strict Transport Security is enabled. TLS certificates are issued and renewed by our hosting provider.

Data at rest

We do not run our own database. Your data lives in vendor-managed systems with encryption at rest provided by the vendor. We rely on the following categories of provider:

  • CRM and lead storage for contact-form submissions, guide requests, and client records.
  • Email delivery for transactional confirmations, notifications, and opt-in nurture.
  • Hosting and edge infrastructure for serving the site and processing request metadata and logs.
  • AI and language-model APIs for agent endpoints. We store sanitized receipts, not raw prompts.
  • Analytics, scheduling, accounting, payments, and communications as introduced, each covered in our privacy notice.

The current named vendor list, data shared per vendor, country of processing, and vendor security postures live at /sub-processors.

Access controls

  • Admin accounts at every vendor platform we use require multi-factor authentication.
  • API keys are scoped to the minimum permissions required and rotated as needed.
  • Secrets live in managed secret stores. They are never committed to source control or shipped in the client bundle.
  • Application logs are reviewed for plaintext personal information before a feature ships. Agent endpoints store minimized audit records rather than raw prompts.

Incident response

If we confirm a security incident that affects your data, we will notify affected contacts by email within 72 hours of confirmation, describe what happened, what data was involved, what we are doing about it, and what steps you can take. Where a regulator requires notice, we will meet the shorter of that deadline or 72 hours.

Responsible disclosure

If you believe you have found a vulnerability, email alex@omconcepts.net. Include enough detail for us to reproduce the issue. Please give us a reasonable window to fix before disclosing publicly. We do not currently offer a bug bounty, but we will acknowledge your report and credit you in a fix note if you want the credit.

Changes

When our security posture changes in a way a visitor would care about, we update this page and bump the “Last updated” date at the top.