Enterprise Procurement-ready documentation available. Request Materials →

Enterprise:
Procurement & Vendor Onboarding

Procurement Packet

A procurement-aware overview of Cichocki Advisory's vendor posture: company facts, compliance summary, security controls, contract templates, and the workflow your team can expect from inquiry to engagement kickoff.

NDA-first 1 business day response Principal-led Procurement-aware
Company facts

At a glance

The basics your procurement intake form needs. Sensitive details (EIN/TIN, banking, COI limits) provided through secure procurement channel.

Legal Entity
Cichocki LLC
U.S. limited liability company
DBA
Cichocki Advisory
Advisory services trade name
Primary Site
www.cichocki.com
Trust posture & engagement entry
Procurement Contact
advisory@cichocki.com
Vendor onboarding & contracts
Security Contact
security@cichocki.com
Questionnaires & incident response
Related Software
ThreadSync
Separate offering, own trust center
Compliance summary

Frameworks & current posture

Honest yes / no / partial / not-applicable status. We do not claim third-party attestation or certification unless explicitly stated in a signed procurement response.

Framework / Requirement Current posture
SOC 2 Trust Services Criteria Mapped Controls mapped to applicable SOC 2 TSC areas (Security, Availability, Confidentiality). No SOC 2 Type II attestation currently claimed.
ISO/IEC 27001 Not certified Not pursuing certification for the advisory practice at this time.
HIPAA Engagement-scoped Advisory engagements typically do not involve PHI. BAA requirements are evaluated during contracting if PHI is in scope.
GDPR / UK GDPR DPA available Where personal data processing is in scope; SCCs used where applicable. Processing scope defined per engagement.
CCPA / CPRA Compliant Consumer privacy requests handled where applicable; no sale of personal information.
PCI DSS Not applicable Cichocki Advisory does not process or store cardholder data.
FedRAMP Not applicable Advisory engagements operate outside FedRAMP-authorized cloud boundaries.
State & sector regulations (NY DFS, GLBA, FINRA, etc.) Reviewed per engagement Specific requirements assessed during scoping based on client industry and jurisdiction.
Detail

What we actually do

Procurement-ready specifics. Items requiring third-party attestation are marked as such.

Data handling

Engagements are scoped to minimize sensitive data exposure. If client data access is required, scope, access method, and retention are documented in the SOW.

  • Encryption in transit — TLS 1.3 where supported by tooling
  • Encryption at rest — AES-256 on systems where storage is involved
  • Working memory — materials ephemeral during active engagement; cleared at close
  • Two-bucket retention — working materials purged post-engagement, engagement records retained per regulation
  • Categories of data — defined per engagement; documented in DPA where applicable

Access & security controls

Principal-led practice means access discipline is tightly scoped. Internal systems use least-privilege defaults and admin access is MFA-protected.

  • MFA enforced on all administrative systems touching client materials
  • Least-privilege default; periodic access reviews
  • Endpoint posture — full-disk encryption, current OS patching, password manager required
  • No production system access — advisory work does not involve live client system access by default
  • Personnel — engagement-specific personnel requirements reviewed during onboarding

Incident response

Documented escalation path with client security teams. Notification SLAs aligned to applicable law and contractual requirements.

  • 72-hour breach notification posture where required by law or contract
  • Documented escalation — client security contact identified during scoping
  • Coordination on disclosure — follows the client's incident-response playbook where one exists
  • Principal-led response — Jan Cichocki coordinates directly; no third-party SOC
  • Post-incident review — written summary and corrective actions for engagement-affecting incidents

Subprocessors & tooling

Principal-led practice has no static "vendor stack" that touches every engagement. The tools that handle a given engagement's materials are disclosed during scoping.

  • Disclosed per engagement rather than published in a static list
  • Typical tools — email, calendar, document collaboration, secure file transfer, working drafts
  • No confidential materials submitted to AI providers by default; exceptions require written approval
  • Cross-border transfers — SCCs where applicable; processing locations documented per engagement
  • ThreadSync subprocessors handled separately on the ThreadSync Trust Center

Documents & timeline

Standard vendor-onboarding artifacts are returned within stated SLAs once NDA and engagement scope are confirmed.

  • Initial response — 1 business day on inquiry receipt
  • NDA execution — 1 business day (use yours or ours)
  • Security questionnaire — 5 business days from NDA (SIG Lite, SIG Core, CAIQ v4, custom)
  • Contract package — MSA / SOW / DPA / insurance evidence within stated procurement window
  • Onboarding documents — W-9, banking, vendor-portal steps completed before kickoff
Workflow

From inquiry to engagement kickoff

Six steps. NDA before sensitive material is exchanged. Each step has a stated SLA so your team can plan downstream procurement actions.

1

Initial inquiry

Procurement, legal, or security sends onboarding requirements, desired documents, and target timeline. Same-day acknowledgement.

2

NDA & scope

Mutual NDA executes before confidential controls, subprocessors, COI details, or questionnaire responses are shared. Within 1 business day.

3

Security review

Questionnaire, control mapping, data handling notes, incident posture, and subprocessor disclosure completed for the confirmed engagement scope. Within 5 business days.

4

Contract package

MSA, SOW, NDA, DPA, insurance evidence, and vendor forms exchanged through the approved procurement channel.

5

Vendor onboarding

Tax forms, payment instructions, procurement portal steps, and required approvals completed before kickoff.

6

Engagement kickoff

Access paths, data boundaries, retention expectations, and escalation contacts confirmed before client materials are shared.

What we don't claim

Cichocki Advisory does not claim SOC 2 Type II attestation, ISO/IEC 27001 certification, FedRAMP authorization, HITRUST certification, or PCI DSS applicability unless explicitly stated in a signed procurement response. Controls are mapped to relevant SOC 2 Trust Services Criteria for advisory engagements, and non-applicable domains are marked with the reason. We answer security questionnaires with yes, no, partial, or not-applicable responses, supported by scope notes rather than inflated compliance claims.

Start a procurement conversation

Send your vendor onboarding checklist, required security questionnaire, contract templates, and target timeline. We will confirm scope, NDA path, and available materials within one business day.

Submit a Procurement Request → Security Questionnaire workflow

Direct procurement inquiries: advisory@cichocki.com · Security inquiries: security@cichocki.com

Cichocki AI Advisory

Online
C
Hi! I'm the Cichocki AI advisor. How can I help you with AI strategy, governance, or implementation today?
Do not enter confidential, regulated, or sensitive information. Privacy Policy