OOretz Factory
For procurement, security, and platform teams

Enterprise roadmap.

SSO, audit logs with agent identity, SOC 2 evidence collection, VPC deployment, dedicated bridge nodes, 99.9% uptime SLA. Most of these are roadmap, not shipped yet. Today the factory produces working Next.js web apps from prompts (/factory/proof).

2026-05 statusThe pillars below describe what we’re building toward. The comparison matrix at /factory/compare marks each row with its real support level (shipped / partial / no). Use the matrix for procurement, not the bullets below — bullets describe the target, not today’s reality.
Talk to salesRequest compliance package
12
Models available
across 4 providers, hot-swap per request
9
Compliance frameworks tracked
SOC 2, GDPR, HIPAA, CCPA, ISO 27001, EU AI Act, PCI, FedRAMP, NIST AI RMF — honest status per row
1
Surfaces shipping today
web (desktop + mobile + PWA are roadmap per ADR 0008)
/status
Uptime
99.9% target on planned Enterprise tier; /factory/status shows live component status

Six enterprise pillars (target)

Procurement asks the same questions. Below are the answers we’re building toward. Bullets describe the target state, not what’s shipped on prod today. For the real per-feature status (shipped / partial / no), see the comparison matrix at /factory/compare.

Compliance-ready
Honest posture per framework. /factory/compliance is the source of truth (no certification we don't hold).
  • SOC 2 Type II — in progress (audit window Q4 2026; no certification claimed)
  • ISO 27001 — in progress (control mapping work covers SOC 2 prep)
  • GDPR DPA template — shipped at /factory/dpa with inline sub-processor list
  • EU AI Act readiness — in progress (no code yet references Art. 14)
  • HIPAA-friendly mode — in progress (BAA template drafted, ties to Enterprise tier)
  • FedRAMP — out of scope; not on the roadmap
Identity & access
Roadmap pillar today. Hobby tier uses Supabase Auth email/password; the SSO + SCIM + LDAP + IP-allowlist features below are intended for Enterprise when it ships.
  • SAML 2.0 (Okta, Azure AD, OneLogin, Ping) — planned
  • OIDC (Google Workspace, generic OIDC) — planned
  • SCIM 2.0 user + group provisioning — planned
  • LDAP / Active Directory bind — planned
  • MFA (TOTP + WebAuthn) — partial today via Supabase Auth; strict mode is planned
  • IP CIDR allowlists + geo restrictions — planned
  • Custom roles with inherited permissions — planned
Audit & observability
Audit log machinery is live; full orchestrator-step coverage is in progress.
  • Per-step audit events scoped to tenant — in progress (API submissions + admin retries recorded today)
  • actor_is_agent + agent_run_id columns on sf_factory_audit_events — shipped
  • CSV + JSONL streaming export at /api/admin/factory/audit/export — shipped (verified live)
  • OpenTelemetry-compatible distributed tracing — partial
  • Structured JSON logging with traceId + jobId + tenant — shipped
  • Slow query alerting via pg_stat_statements harvester — shipped
Deployment options
Multi-tenant SaaS is the only shipping option today. Single-tenant / VPC / dedicated bridge stories are roadmap.
  • Multi-tenant SaaS (default): shared Linux bridge pool — shipped
  • Dedicated single-tenant (isolated bridge VMs, your AWS account) — planned
  • VPC deployment (factory-specific docker-compose + bridge containers) — planned (no Terraform/runbook yet)
  • Data residency: US-only today (us-east-1). EU / APAC / US-Gov — planned
  • No vendor lock-in: generated workspaces ARE plain Next.js + libSQL you can host anywhere — shipped
Performance & SLA
Targets on planned Enterprise tier. No contract is signable today because billing is not wired.
  • Tier-based queue priority — planned
  • Bridge auto-scaling via queue-depth + p95-wait — planned (single Linux bridge today)
  • Multi-region failover — planned
  • 99.9% uptime — TARGET on planned Enterprise tier (no contract today; /factory/status shows live component status, no measured-uptime number yet)
  • Disaster recovery (RTO/RPO) — planned
  • Daily backup verification — planned
Code quality & safety
Some real, some planned. Bias/fairness scanner + quality grading run today.
  • Bias/fairness monitor for code-generation paths — shipped (lib/ai-gateway/fairness.ts)
  • Quality grading A-F (tests + complexity + security + perf + a11y) — shipped (lib/factory/quality-scorer)
  • SAST (Semgrep-style rules on every generated file) — planned
  • License compliance (allow/deny/flag-copyleft) — planned
  • Vulnerability scanning (npm audit / pip-audit critical = block) — planned
  • SLSA L2 provenance attestation — planned
  • Reproducible builds (lockfile verification + integrity hashes) — planned

Pricing built for enterprise

Annual contracts with custom terms. Includes everything in Pro plus SSO, audit export, VPC option, dedicated bridges, 99.9% SLA, NDA, DPA, MSA.

Custom
scoped to your team size + compliance needs
Request a quote

Paperwork status

Honest snapshot of what’s drafted vs signable today. Enterprise tier is planned (no billing wired), so most of these are template-ready but not yet executable. Write to [email protected] if your evaluation needs any of these signed today.

MSA
Master service agreement — template drafted; not signable until Enterprise tier ships (billing planned)
DPA
Data processing agreement — shipped at /factory/dpa with inline sub-processor list (GDPR Art. 28)
BAA
Business associate agreement — template drafted; HIPAA-friendly mode is in progress (ties to Enterprise tier)
SOC 2 report
Type II — in progress; audit window Q4 2026, no certification claimed yet
Insurance
Cyber liability + E&O — quoted, not yet bound. Will be wired before first Enterprise signed contract.
Security questionnaire
CAIQ-Lite, SIG-Lite, vendor-specific — best-effort response today (no contracted turnaround until process is documented)

Source-available

Our entire factory is on GitHub. Read the code. Run the audit queries yourself. Verify the claims before you sign.

github.com/OOretz/ooretz-space