DORA-Aware Readiness

DORA-Aware Security Readiness for AI RevOps Infrastructure

AgentFlow Enterprise is structured around compliance-aware security documentation, operational resilience controls, ICT third-party risk visibility, and AI workflow governance foundations designed to support enterprise and financial-sector due diligence.

View Security Overview Read Technical Whitepaper Request Private Audit View Escrow Acquisition

Important Accuracy Notice

AgentFlow Enterprise is not independently certified or legally attested for DORA obligations. This page describes DORA-aware readiness documentation and operational resilience foundations for buyer and enterprise evaluation.

Readiness pillars

A serious operating model for enterprise review.

Each pillar separates existing repository foundations from manual verification work and future maturity steps.

Documentation Ready

ICT Risk Management

What exists: a formal ICT risk register and control map. Manual verification: owner review, scoring, acceptance, and evidence capture. Future maturity path: scheduled risk review and executive accountability.

Documentation Ready

Incident Response

What exists: severity model, triage, containment, recovery, and report templates. Manual verification: alert routing and tabletop exercises. Future maturity path: tested notification workflows.

Manual Verification Required

Operational Resilience Testing

What exists: test, restore, and resilience checklists. Manual verification: run tests in buyer-owned or staging environments. Future maturity path: recurring resilience exercises.

Documentation Ready

Third-Party ICT Risk

What exists: vendor risk register and provider transparency language. Manual verification: DPAs, terms, regions, SLAs, and transfer constraints. Future maturity path: annual vendor reviews.

Documentation Ready

Backup & Disaster Recovery

What exists: backup, restore, and DR plan. Manual verification: Supabase restore test, Vercel rebuild, env recovery, and DNS recovery. Future maturity path: defined RTO/RPO with artifacts.

Partial

AI Workflow Governance

What exists: server-mediated AI calls and governance controls. Manual verification: prompt-injection tests and provider review. Future maturity path: prompt versioning and AI audit records.

Documentation Ready

Evidence Management

What exists: evidence register and protected readiness cockpit. Manual verification: dated artifacts and owner sign-off. Future maturity path: controlled evidence lifecycle.

Documentation Ready

Data Retention & Deletion

What exists: retention and deletion policy module. Manual verification: policy approval and deletion workflow testing. Future maturity path: automated retention controls.

Control map

DORA readiness control map.

This public map uses conservative statuses: Documentation Ready, Partial, Manual Verification Required, and Roadmap.

ICT governanceOwner/operator documentation, handover path, and readiness controls.Documentation Ready - assign named owners and review cadence.

ICT risk managementFormal risk register with realistic security, provider, and operational risks.Documentation Ready - review, accept, and track risks.

Incident responseSEV1-SEV4 runbook, evidence rules, and post-incident templates.Documentation Ready - run tabletop exercises.

Backup and restoreSupabase, Vercel, GitHub, env, DNS, and Stripe boundary plan.Manual Verification Required - complete restore test.

Third-party ICT riskVendor register covering hosting, database, payments, AI, monitoring, analytics, legal, and source control providers.Documentation Ready - collect provider evidence.

AI workflow governanceServer-side provider mediation, prompt risk controls, and roadmap governance.Partial - add prompt tests and audit records.

Data retentionPolicy module for leads, AI outputs, billing references, analytics, logs, contact messages, and evidence records.Documentation Ready - implement deletion workflow where required.

Evidence managementEvidence register and protected verified-readiness dashboard section.Manual Verification Required - capture dated artifacts.

Enterprise evidence package

Public links and private buyer-review artifacts.

Public pages provide safe orientation. Internal evidence documents are available for private buyer or enterprise review when appropriately redacted.

Public review links

Security overview Technical whitepaper Public docs Privacy Terms Contact Escrow acquisition

Private review artifacts

DORA readiness map
ICT risk register
Vendor risk register
Incident response runbook
Backup/restore plan
Security controls matrix
AI governance controls
Evidence register

AI governance boundary

AI assistance stays inside governed workflow limits.

AI workflows are server-mediated, provider keys are not exposed client-side, outputs require governance and review, multi-model roadmap work must preserve the same boundaries, and prompt/model risks require continuous testing.

Third-party ICT provider transparency

Provider risk remains part of buyer due diligence.

The platform depends on third-party ICT providers such as hosting, database, payments, observability, analytics, and AI providers. Vendor-specific transfer, availability, and compliance obligations remain subject to each provider's own terms and buyer due diligence.

FAQ

Straight answers for technical buyers.

Each answer is written to preserve buyer confidence without inventing traction, certifications, or implementation proof that still needs verification.

Is AgentFlow Enterprise legally attested under DORA?

No. AgentFlow Enterprise includes a DORA-aware readiness package and operational resilience documentation, but it is not independently attested or legally represented as meeting DORA obligations.

What does DORA-aware readiness mean?

It means the repository includes compliance-aware documentation and control foundations for ICT risk, incident response, third-party risk, continuity, disaster recovery, AI governance, and evidence management.

Does AgentFlow Enterprise have SOC 2 or ISO 27001?

No formal SOC 2 or ISO 27001 assurance report is claimed in this repository. The materials are designed to support future readiness and buyer review.

What security documentation is available?

The repository includes a DORA readiness map, ICT risk register, vendor register, incident runbook, DR plan, retention policy module, controls matrix, AI governance controls, evidence register, and questionnaire pack.

How are incidents handled?

The incident response runbook defines severity levels, detection sources, triage, containment, recovery, communication, evidence collection, and post-incident review templates.

How are third-party ICT providers tracked?

The vendor register tracks provider role, data processed, criticality, current status, risk category, due diligence evidence, fallback considerations, and transfer notes.

Does AgentFlow Enterprise store payment card data?

The application is designed around Stripe-hosted Checkout and billing portal flows, so raw card data should remain inside Stripe rather than the application database.

How is AI workflow risk handled?

AI workflows are server-mediated, provider keys are kept outside browser bundles, inputs should be minimized, outputs require review, and prompt/model risks require continuous testing.

Can enterprise buyers request private evidence?

Yes. Evidence artifacts such as provider screenshots, deployment logs, restore tests, and security review notes should be shared privately after redaction and owner approval.

Is this suitable for financial-sector due diligence?

It is a foundation for financial-sector due diligence conversations. Suitability for a regulated deployment requires buyer-specific legal, security, vendor, and operational verification.

Private review path

Use the readiness pack as a starting point for serious evaluation.

Enterprise buyers should pair these materials with provider evidence, legal review, production testing, and independent assessment where required.

Contact Security overview