Privacy policy.

This Privacy Policy applies to Openrift Pte. Ltd., a private company limited by shares incorporated in Singapore (collectively “Openrift,” “we,” “us,” or “our”) and all services we provide to clients engaging Openrift for Discovery, Deploy, or Run work.

We are committed to handling personal data in accordance with the Singapore Personal Data Protection Act 2012 (PDPA), including the consent, purpose, notification, access, correction, accuracy, protection, retention, transfer, and accountability obligations set out in the Act. Where personal data originates from another Southeast Asian jurisdiction, we apply equivalent care under that jurisdiction’s law.

If you have questions about how we handle your data, write to privacy@openrift.io.

We collect three broad categories of information during an engagement.

We use the information we collect for the following purposes only:

All client data is stored in Singapore on Amazon Web Services (AWS) infrastructure in the ap-southeast-1 (Singapore) region. We do not replicate client data outside Singapore as part of normal operations.

Data is encrypted at rest using AES-256 with keys managed in AWS Key Management Service (KMS). Data is encrypted in transit using TLS 1.2 or higher between all internal and external systems.

Each engagement is logically isolated. Workspace boundaries are enforced at the application layer and validated as part of our SOC 2 Type 1 controls. Data from one client engagement does not commingle with another client’s engagement.

We do not sell your data. We do not rent, share, or otherwise commercialise it with any third party for marketing, advertising, or any other purpose unrelated to delivering the services you have engaged us for.

We share data with third parties only in the following circumstances: (a) third-party tools that you have explicitly connected to your engagement (your data flows to those tools because you have asked us to integrate them); (b) sub-processors who provide infrastructure or model inference essential to operating the service (listed in section 06); and (c) where required by law, court order, or other valid legal process.

Where we share data with a sub-processor, we do so under contractual terms that require the sub-processor to apply equivalent protections to those set out in this Policy.

We use a small number of carefully chosen sub-processors. The current list is:

Openrift maintains a documented information security programme designed to protect the confidentiality, integrity, and availability of client data. The programme is independently attested under SOC 2 Type 1, with Type 2 attestation in progress and ISO 27001 in pursuit.

Controls include — encryption at rest and in transit, least-privilege access with mandatory multi-factor authentication for all staff, hardware-key enforcement for production access, centralised logging of administrative actions, secrets management via AWS KMS, vulnerability scanning of dependencies and infrastructure, and an annual third-party penetration test.

We will notify affected clients of any confirmed security incident materially affecting their data without undue delay, and in any event within the timeframes required by applicable law (including, where applicable, the seventy-two-hour notification window under analogous regimes).

Under the PDPA and equivalent law, you have rights in respect of personal data we hold about you, including the right to access, correct, and request deletion or export of your data. To exercise any of these rights, write to privacy@openrift.io. We will respond within thirty (30) days, or sooner where required by law.

Access — you can request a copy of the personal data we hold about you and the purposes for which it has been used. Correction — you can ask us to correct inaccurate or incomplete personal data. Deletion — you can ask us to delete your personal data, subject to legal and contractual retention obligations. Export — you can request your data in a structured, commonly used, machine-readable format.

If you believe we are not handling your data correctly, you may complain to the Personal Data Protection Commission (PDPC) in Singapore or the equivalent authority in your jurisdiction. We’d prefer you raise the concern with us first so we can fix it.

We retain client data for the duration of your engagement plus a tail of ninety (90) days after the engagement ends. At the end of the ninety-day tail we wipe stored workspace data, integration credentials, and agent action logs from our production systems.

Backups containing client data are retained on a rolling basis and are overwritten on a standard cycle not exceeding thirty-five (35) days. Backup wipe is automatic and is verified as part of our SOC 2 controls.

Where law requires us to retain certain records for longer (for example tax records, financial records, or material subject to legal hold), we retain only the records required, for the minimum period required, and apply equivalent protections throughout that retention.

Our primary data residency is Singapore. Where we transfer personal data outside Singapore — for example to a model-provider API endpoint hosted in another region, or to a sub-processor with global infrastructure — we do so only to the extent necessary to deliver the service and only under contractual protections that meet or exceed the standards in the PDPA.

We will inform you in your statement of work or in advance, where reasonably practicable, of any transfer of personal data outside Southeast Asia that is material to your engagement.

For clients with strict data-residency requirements we can scope a deploy that keeps all model inference inside Singapore using region-locked endpoints. That is an enterprise configuration — talk to us during Discovery.

Openrift’s services are intended for use by businesses and their staff. We do not knowingly collect personal data from any individual under the age of eighteen (18). Our services are not directed at children.

If you become aware that personal data relating to a child has been provided to us in the course of an engagement, contact privacy@openrift.io and we will delete it promptly.

We may update this Privacy Policy from time to time. The Last Updated date at the top of this Policy reflects when the current version was published.

For material changes — including changes to the categories of data we collect, the sub-processors we use, or your rights under this Policy — we will give existing clients written notice at least thirty (30) days before the change takes effect. For non-material changes (clarifications, typographical fixes, or updates to reflect new law) the update takes effect when published.

Continued use of our services after a change takes effect constitutes acceptance of the updated Policy.

Openrift Pte. Ltd. is the data controller for personal data we hold about you in our corporate capacity, and a data processor for personal data you provide for the purposes of running your engagement.

For all privacy questions, requests, complaints, or to exercise your rights under this Policy, write to privacy@openrift.io. Our Data Protection Officer (DPO) reads every message at this address.

We aim to respond to privacy correspondence within five (5) SGT business days, and to formal data subject requests within the statutory timeframes (typically thirty days).