This is a research engagement, not a software install.
No code on your property, no integrations, no data flowing from your side. The procurement surface is an NDA and a vendor intake form, not a SOC 2 audit.
If your compliance team has 30 seconds: NeverRanked observes public AI answer engines from outside, the same way a journalist or an analyst would. We do not install code on your site, we do not integrate with your CRM, we do not read your SSO, we do not handle your customer data. The deliverable is a research memo. There is no software for your team to review.
What we do not access
| Category | Our access | Why none is needed |
|---|---|---|
| Customer website / DOM | None | We do not install code, scripts, or tags on your site. The engagement observes public AI engines from outside and needs nothing on your property. |
| CRM (Salesforce, HubSpot, etc.) | None | Measurement is performed against public AI engines, not against your CRM data. |
| Analytics (GA, Mixpanel, Amplitude, etc.) | None | We do not need to know what your customers did on your site. We measure what AI engines say about your brand to a buyer asking a question. |
| SSO / OAuth / authentication | None | We have no surface that requires user authentication. The deliverable is a research memo, not a logged-in dashboard. |
| Customer data (PII, transactions, behavior) | None | We do not handle PII. We measure brand-level signals. |
| Email systems / inboxes | None | We do not need to read your email. Our communications happen over normal external email. |
| Cloud accounts / infrastructure | None | Our infrastructure is entirely separate. No shared cloud accounts, no cross-account roles. |
| Source code | None | We do not need your code. Your engineering team is not affected by this engagement. |
| Search Console / domain verification | None | Search Console access is not part of the measurement. We do not request it. |
What we do collect
- The query set you and our team locked at scoping. 15-30 queries, in our system, not on yours.
- The competitor cohort you named at scoping. Domain names of 3-7 publicly-known competitors.
- Daily API responses from the seven AI surfaces. The raw text of what each engine said in response to each query, plus the cited URLs. These are responses to public queries on public APIs; they contain no information about your customers or your systems.
- Your invoice and payment records. Standard Stripe billing data, processed by Stripe.
- Engagement metadata. When kickoff started, when memos shipped, who they were sent to (your designated team).
What we do not collect or store
- Anything from your website's visitor traffic.
- Anything that identifies your customers.
- Any data that would require GDPR or CCPA processor-agreement coverage.
- Any data that would require HIPAA Business Associate Agreement coverage.
- Any payment instruments (Stripe handles payment data end-to-end; we never see card data).
Procurement and review
The honest reframe for procurement teams: NeverRanked maps to research/analyst-firm processes, not to SaaS-vendor processes. Specifically:
- SOC 2: not applicable. SOC 2 covers controls around customer-data handling. We do not handle customer data.
- Penetration test: not applicable. There is no NeverRanked endpoint your traffic flows through, no API your systems call, no infrastructure of ours that touches yours.
- Vendor security questionnaire (SIG, SIG-Lite, CAIQ): we will fill these out. Most fields will read "N/A, vendor does not access customer systems or data." We can supply a pre-filled SIG-Lite for review on request.
- NDA: we sign mutual NDAs. Our preferred template is short; we will also sign yours within reason.
- MSA: we will sign a standard MSA, redlined to cap indemnification at engagement value (uncapped indemnity creates existential risk for a small company).
- DPA: not typically applicable because we do not process customer personal data. If your legal team requires one anyway, we will sign a minimal DPA confirming the "we do not process personal data" position.
Confidentiality of the deliverable itself
Once we produce a research memo and a punch list that name your brand and your competitors, those documents have handling expectations even though they contain no PII. Our stance:
- Memos delivered to your designated recipients only. We do not publish or share them.
- Your data export stays exportable for the life of the engagement.
- After cancellation, customer-specific data is retained 30 days then deleted.
- Aggregate-level category patterns we observe across our broader dataset stay with us, never tied to your name and never reverse-engineerable to your engagement. The host-surfacing gate in
aggregate.mjsrequiresmin-runs >= 2before any host appears in cross-customer aggregate output, enforced in code.
Reproducibility and audit
The measurement infrastructure is auditable by your team without our cooperation:
- Public source code. github.com/LanceRoylo/neverranked-outreach for the measurement and aggregator tools.
- Gemma is open-weight. Your auditor can re-run the same prompts against Gemma independently and verify our numbers without our involvement.
- Pre-registration discipline. Any methodology claim (pattern-readiness, measurement validity) is anchored in a hash-locked pre-registration file in the repo before the test runs.
- Raw data export. All raw measurement data from your engagement is exportable in standard formats any time.
Compliance questions
Anything not covered here, email Lance@hi.neverranked.com. Compliance and procurement questions get a same-day response on weekdays.