Honest current state, not aspirational.

What we hold and where it came from.

Every public field on every OwnListed surface is anchored on a registered public-record source — CMS NPPES, CMS PECOS, FL DBPR, CMS Care Compare, BLS OEWS, U.S. Census, HRSA HPSA. Each source carries an explicit redistribution license documented at /sources/[slug]; we do not republish data we do not have license to surface.

Restricted-distribution registries (state-bar membership rosters, NMLS Consumer Access, ABMS / CertiFacts) are explicitly excluded — see the §125 RESTRICTED_SOURCES list. We cite these sources publicly when relevant but never republish their rows.

Owner-claim flows collect only the fields needed to verify ownership and operate the claimed listing. Claims are never sold, leased, or syndicated to third parties.

We hold what we need, for as long as it is useful.

Public-record source data: refreshed on the published cadence per source family (FL DBPR weekly, CMS NPPES monthly, CMS Care Compare quarterly). Previous snapshots are preserved to support change-record auditing.

Owner-claim records: held for the life of the claimed listing plus a 12-month tail after a claim is closed (sufficient to support corrections + complaint response). Operator-tooling logs follow the same window.

Analytics events (per §127): GA4 + PostHog retention follows the platform-default window. PII is never sent to either system; only PII-safe payload fields (data-source-slug, data-surface, data-vertical-slug).

Least-privilege by default.

Production database access is gated through Supabase row-level security (RLS) policies + a small operator-tooling allowlist. Public surfaces use the anonymous Supabase key with read-only access to RLS-permitted tables. Service-role keys are never shipped to the browser.

Operator-tooling access is restricted to the founder + named operators. Each operator authenticates per session; no shared credentials.

Source ingestion scripts (`scripts/sources/*`) run as service-role for write access during scheduled refreshes. Outputs are diffed against the previous snapshot before commit.

If something happens, we will say so.

If a confirmed unauthorized access to user data is discovered, we will notify affected users + post a public statement on /corrections-log within 72 hours of confirmation. The notification will name the scope of access, the affected data classes, the time window, and the remediation steps taken.

We have not had a breach to date. The policy exists so the threshold is documented, not tested.

Planned. Not yet attested.

SOC 2 Type II attestation is on the roadmap but not yet held. We do not display a SOC 2 badge today. The target window for attestation will be set after the §157 A-tier vertical investments land and the company transitions from sprint mode to operations mode.

Buyers and procurement teams that need SOC 2 attestation today can request our security-questionnaire response from the contact below; we will answer with the actual posture, not aspirational claims.

Compliance-aware, not compliance-stamped.

OwnListed is a US-based research organization studying US local-services markets. Our public surfaces are accessible from EU + California addresses. We respond to GDPR data-subject-access-request (DSAR) requests + CCPA disclosure-and-deletion requests through the contact below, with the documented 30-day response window.

We do not sell personal data under either statute's definition. Provider-level public-record data is the published universe; consumer behavioral data is not collected, sold, or syndicated.

If an EU resident or California resident requests data deletion, we delete in-scope owner-claim records + analytics events within 30 days and confirm in writing.

Stack disclosed.

OwnListed runs on a small, intentionally common infrastructure stack. Each sub-processor is named below with its scope. The list is reviewed quarterly + when a new sub-processor is added.

• Vercel — application hosting + edge network (US-East primary).
• Supabase — managed Postgres + auth + storage. Row-level security enforced.
• Anthropic / OpenAI — LLM inference for owner-tooling drafts; no consumer PII sent.
• Sentry — error monitoring (server-side only; PII redacted before send).
• Google Analytics 4 + PostHog — analytics. PII-safe payloads only (§127).
• Resend — transactional email (claim sign-in links, owner notifications).
• Stripe — payments for Featured / Pro tiers. PCI compliance handled by Stripe.
• GitHub — source code + CI. Public commits, private secrets.

How we triage when something breaks.

Production incidents are triaged via a documented runbook: detect (Sentry + manual smoke), classify (P0 service-down vs P1 data-quality vs P2 cosmetic), respond (deploy fix or roll back), notify (status update on /corrections-log if user-visible), retro (within 5 business days for any P0 or P1).

Data-quality incidents (a wrong figure on a live page) follow the §164 corrections workflow + are logged at /corrections-log alongside doctrinal corrections.

Procurement team needs answers? Ask.

Enterprise procurement reviews + security questionnaires (CAIQ, SIG, custom) route to security@ownlisted.com or use /contact with the subject line 'Security questionnaire'. We respond within five business days with the actual posture, never aspirational claims.

If a buyer needs an MNDA executed before exchanging questionnaire detail, we can do that — request the template from the same contact.