Trust Center

Compliance, security, and accountability in one place.

Everything procurement officers, security teams, and prospects ask about how we operate. Privacy, security, AI usage, accessibility, cookies, terms, and the third parties we work with.

Last updated: May 2026 · OpenSource Technologies, Inc., a Pennsylvania corporation

SAM-registered WCAG 2.2 AA target NDA on request

Our policies

Privacy, security, AI usage, accessibility, cookies, terms.

Each policy is published as its own page. Click through for the full statement.

Privacy Policy

How we collect, use, store, and delete personal data. GDPR and CCPA aligned. Data subject rights, retention periods, and request paths.

Updated May 2026 Read policy →

Security

Infrastructure controls, access management, encryption practices, vulnerability response, and incident playbooks. SOC 2 alignment on request for procurement.

Updated May 2026 Read policy →

AI Usage Policy

Which AI tools we use, when we use them, and how we honor client AI policies. Includes our default tool list (Claude Code, Cursor, Codex, Copilot) and the no-AI delivery option for restricted projects.

Updated May 2026 Read policy →

Accessibility Statement

WCAG 2.2 AA conformance approach, Section 508 alignment, testing methodology, known issues, and how to report a barrier. Applies to ost.agency and platforms we deliver.

Updated May 2026 Read statement →

Cookie Policy

Every cookie this website sets, what it does, how long it persists, and how to opt out. Strictly necessary, analytics, and preference categories explained separately.

Updated May 2026 Read policy →

Terms of Service

Terms governing use of ost.agency, our content, and any tools we make available publicly. Separate from engagement-specific contracts (those have their own terms in the SOW).

Updated May 2026 Read terms →

Sub-processor List

Third parties that process data on our behalf or our clients' behalf. Hosting, email, analytics, communication tools. Updated when we add or remove a vendor.

Updated May 2026 View list →

Capability Statement

For procurement officers and prime contractors. Past performance, key personnel, and codes/compliance overview. Federal procurement codes (SAM UEI, NAICS, CAGE) available on request. PDF-printable.

Updated May 2026 View statement →

Frameworks & standards

Compliance we support, scoped per engagement.

Frameworks we have experience implementing when contracted to do so. Specific compliance is scoped in your contract or SOW based on what your project actually requires.

Important: Listing a framework here means we have delivered to that standard on past engagements. It is not a blanket warranty that every OST project meets every framework. Each engagement is scoped individually. If a specific compliance is not listed in your contract, we are not obligated to deliver it. Federal procurement codes (SAM UEI, NAICS, CAGE) are available on request via the contact form.

WCAG 2.2 AA Web Content Accessibility Guidelines, latest version. Default for every site we deliver.

Section 508 Federal accessibility standard. Required for SLED and federal procurement.

GDPR EU General Data Protection Regulation. Privacy policy aligned for EU data subjects.

CCPA / CPRA California consumer privacy laws. Right to know, delete, and opt out honored.

FERPA Family Educational Rights and Privacy Act. Student record protections for K-12 and higher-ed engagements.

COPPA Children's Online Privacy Protection Act. Required when platforms reach users under 13.

SOPIPA California Student Online Personal Information Protection Act. Influential model for many state student-data laws.

SDPC / SDPA Student Data Privacy Consortium agreements available for K-12 districts requiring signed DPAs.

HIPAA Health-sector engagements scoped individually. Discuss BAA requirements during contract negotiation.

SOC 2 alignment Available on request for security-sensitive procurement responses.

Specific compliance question?

Reach Shaili Gupta directly.

Procurement officers needing a specific policy clause, security audit response, or data processing addendum can route through the contact form. Replies from Shaili Gupta, President, within 1 business day.

Submit a compliance question View capability statement