Enterprise Procurement-ready documentation available. Request Materials →

Enterprise:
Procurement & Vendor Onboarding

Procurement Packet

A procurement-aware overview of Cichocki Advisory's vendor posture: company facts, compliance summary, security controls, contract templates, and the workflow your team can expect from inquiry to engagement kickoff.

NDA-first 1 business day response Principal-led Procurement-aware
Company facts

At a glance

The basics your procurement intake form needs. Sensitive details (EIN/TIN, banking, COI limits) provided through secure procurement channel.

Legal Entity
Cichocki LLC
U.S. limited liability company
DBA
Cichocki Advisory
Advisory services trade name
Primary Site
www.cichocki.com
Trust posture & engagement entry
Procurement Contact
advisory@cichocki.com
Vendor onboarding & contracts
Security Contact
security@cichocki.com
Questionnaires & incident response
Related Software
ThreadSync
Separate offering, own trust center
Compliance summary

Frameworks & current posture

Honest yes / no / partial / not-applicable status. We do not claim third-party attestation or certification unless explicitly stated in a signed procurement response.

Framework / Requirement Status Details
Mapped Controls mapped to applicable SOC 2 TSC areas (Security, Availability, Confidentiality). No SOC 2 Type II attestation currently claimed.
Not certified Not pursuing certification for the advisory practice at this time.
Engagement-scoped Advisory engagements typically do not involve PHI. BAA requirements are evaluated during contracting if PHI is in scope.
DPA available Where personal data processing is in scope; SCCs used where applicable. Processing scope defined per engagement.
Handled where applicable Consumer privacy requests handled where applicable; no sale of personal information.
Not applicable Cichocki Advisory does not process or store cardholder data.
Not applicable Advisory engagements operate outside FedRAMP-authorized cloud boundaries.
Reviewed per engagement Specific requirements assessed during scoping based on client industry and jurisdiction.
Detail

What we actually do

Procurement-ready specifics. Items requiring third-party attestation are marked as such.

Data handling

Engagements are scoped to minimize sensitive data exposure. If client data access is required, scope, access method, and retention are documented in the SOW.

  • — TLS 1.3 where supported by tooling
  • — AES-256 on systems where storage is involved
  • Working drafts — retained only for the active engagement window and deleted within the agreed retention period after close
  • — engagement working materials deleted within 30 days of engagement close unless SOW, NDA, legal hold, or procurement requirement specifies otherwise; engagement records retained per regulation
  • Categories of data — defined per engagement; documented in DPA where applicable

Access & security controls

Principal-led practice means access discipline is tightly scoped. Internal systems use least-privilege defaults and admin access is MFA-protected.

  • on all administrative systems touching client materials
  • default; periodic access reviews
  • — full-disk encryption, current OS patching, password manager required
  • — advisory work does not involve live client system access by default
  • Personnel — engagement-specific personnel requirements reviewed during onboarding

Incident response

Documented escalation path with client security teams. Notification SLAs aligned to applicable law and contractual requirements.

  • posture where required by law or contract
  • Documented escalation — client security contact identified during scoping
  • Coordination on disclosure — follows the client's incident-response playbook where one exists
  • Principal-led response — Jan Cichocki coordinates directly; no third-party SOC
  • Post-incident review — written summary and corrective actions for engagement-affecting incidents

Subprocessors & tooling

Principal-led practice has no static "vendor stack" that touches every engagement. The tools that handle a given engagement's materials are disclosed during scoping.

  • Disclosed per engagement rather than published in a static list
  • Typical tools — email, calendar, document collaboration, secure file transfer, working drafts
  • No confidential materials submitted to AI providers by default; exceptions require written approval
  • — SCCs where applicable; processing locations documented per engagement
  • ThreadSync subprocessors handled separately on the ThreadSync Trust Center

Documents & timeline

Standard vendor-onboarding artifacts are returned within stated SLAs once NDA and engagement scope are confirmed.

  • Initial response — 1 business day on inquiry receipt
  • NDA execution — 1 business day (use yours or ours)
  • — 5 business days from NDA (SIG Lite, SIG Core, CAIQ v4, custom)
  • Contract package — MSA / SOW / DPA / insurance evidence within stated procurement window
  • Onboarding documents — W-9, banking, vendor-portal steps completed before kickoff
Workflow

From inquiry to engagement kickoff

Six steps. NDA before sensitive material is exchanged. Each step has a stated SLA so your team can plan downstream procurement actions.

1

Initial inquiry

Procurement, legal, or security sends onboarding requirements, desired documents, and target timeline. Same-day acknowledgement.

2

NDA & scope

Mutual NDA executes before confidential controls, subprocessors, COI details, or questionnaire responses are shared. Within 1 business day.

3

Security review

Questionnaire, control mapping, data handling notes, incident posture, and subprocessor disclosure completed for the confirmed engagement scope. Within 5 business days.

4

Contract package

MSA, SOW, NDA, DPA, insurance evidence, and vendor forms exchanged through the approved procurement channel.

5

Vendor onboarding

Tax forms, payment instructions, procurement portal steps, and required approvals completed before kickoff.

6

Engagement kickoff

Access paths, data boundaries, retention expectations, and escalation contacts confirmed before client materials are shared.

What we don't claim

Cichocki Advisory does not claim SOC 2 Type II attestation, ISO/IEC 27001 certification, FedRAMP authorization, HITRUST certification, or PCI DSS applicability unless explicitly stated in a signed procurement response. Controls are mapped to relevant SOC 2 Trust Services Criteria for advisory engagements, and non-applicable domains are marked with the reason. We answer security questionnaires with yes, no, partial, or not-applicable responses, supported by scope notes rather than inflated compliance claims.

Start a procurement conversation

Send your vendor onboarding checklist, required security questionnaire, contract templates, and target timeline. We will confirm scope, NDA path, and available materials within one business day.

Submit a Procurement Request → Security Questionnaire workflow

Direct procurement inquiries: advisory@cichocki.com · Security inquiries: security@cichocki.com

Procurement Reference

Procurement reference

Click a term in the procurement details to load its reference.

This dialog opens when you click a clickable term on the procurement page. Reference content is loaded into this panel when you select a term.

    Cichocki AI Advisory

    Online
    C
    Hi! I can answer questions about Cichocki Advisory's published frameworks, services, and procurement materials. Please don't enter confidential, regulated, or sensitive information.
    Do not enter confidential, regulated, or sensitive information. Privacy Policy