Oi Alfred Tech

Security and privacy

Security & Privacy

Oi Alfred Tech builds websites, automations, and AI-assisted systems with a security-conscious delivery process. This page explains the safeguards currently used for the public website and the standards applied before client software is launched.

Security and responsible disclosure contact: security@oialfred.com. Privacy requests and general website questions can still be sent to tech@oialfred.com until a dedicated privacy alias exists.

Current Website Safeguards

  • HTTPS is required on the public domain, with HSTS enabled at the production proxy.
  • Security headers are checked on live pages, including content type protection, clickjacking protection, referrer policy, permissions policy, and CSP report-only.
  • Content Security Policy is intentionally staged as report-only while Spline/WebGL and browser behavior are reviewed before enforcement.
  • The static admin page is protected with Basic Auth at the Nginx layer and marked noindex/noarchive.
  • Google Analytics is consent-gated and should not load before analytics consent when a GA4 measurement ID is configured.
  • The intake form uses required fields, email validation, a hidden honeypot, formula injection protection before writing to Google Sheets, and private lead storage.

Delivery Controls

  • GitHub is the source of truth for code and change history.
  • CI runs linting, TypeScript checks, production build, browser smoke tests, privacy source checks, dependency audit, and secret scanning.
  • Production deploys are verified with live readiness checks for public pages, admin protection, security headers, sitemap, robots, and disclosure files.
  • Client projects that include accounts, private data, payments, uploads, AI workflows, CRM, email/SMS, API keys, or integrations require a security review before launch.

Privacy And Data Handling

Oi Alfred Tech limits what the public website collects. Project requests may include contact details, business context, project needs, budget range, timeline, and technical metadata used for operations, security, and spam prevention. The privacy notice explains the current data flow, vendor categories, rights workflow, retention posture, and deletion process.

Review the privacy notice and terms for the current public website commitments.

AI Workflow Safety

  • AI-assisted work is reviewed by a human before client-visible or production action.
  • Client projects that use AI agents need explicit tool permissions, narrow access, audit notes, and a way to pause unsafe workflows.
  • Legal, financial, destructive, permission-changing, or irreversible actions stay behind human approval unless a written agreement defines another process.

Vulnerability Reports

If you believe you found a vulnerability in an Oi Alfred Tech system, email security@oialfred.com with the affected URL, a clear description, steps to reproduce, and any safe evidence. Do not access private data, disrupt service, run denial-of-service tests, or test systems that are not owned or explicitly authorized by Oi Alfred Tech.

Not Yet Claimed

Oi Alfred Tech does not currently claim SOC 2, ISO 27001, ISO 27701, HIPAA, PCI DSS, or OpenAI Zero Data Retention certification or contractual status. If a project needs those controls, they must be scoped, contracted, verified, and reviewed with qualified counsel or the relevant vendor before being promised to a client.

Next Hardening Steps

  • Add a dedicated privacy alias after the email account is created.
  • Add stronger intake throttling and duplicate-submission handling before paid ads.
  • Add Cloudflare Turnstile or equivalent challenge protection before high-volume traffic.
  • Move CSP from report-only to enforcement only after report-only checks are clean.
  • Review vendors, access permissions, privacy posture, and live security checks quarterly.

Last updated: May 17, 2026