Page · security & compliance posture

Honest about what is implemented, in progress, and not yet started.

Healthcare buyers need to know exactly what protections exist today, what is on a documented timeline, and where the line is between shipped and aspirational. This page is the source of truth. It is updated as posture changes.

Last reviewed · 2026-05-24 Owner · Freddy Rojas, Founder Disclosure · security@orquor.com
01 — Compliance posture

Four frameworks. No false claims.

We design ACTO to meet the documentation requirements of the regulations that govern healthcare data in our operating geographies. We do not claim certifications we have not earned. Where alignment is incomplete, we say so.

FrameworkGeographyStatusWhat it actually means
HIPAA United States BAA ready Business Associate Agreement template prepared and reviewed by US-licensed counsel pending signature. Available to any covered entity initiating a pilot. Audit log primitive satisfies 45 CFR § 164.312(b)(c). HIPAA Security Rule control mapping is documented internally and can be shared under NDA.
Ley 29733 Peru Aligned Architecture supports data-subject rights under Articles 18–26 (access, rectification, opposition to processing). Audit log facilitates reporting to the National Authority for Personal Data Protection. Registry filing in process.
LGPD Brazil Roadmap Q4 2026 Architecture supports portability (Art. 18, V) and explicit consent at session initiation. Brazilian counsel engagement and ANPD-aligned documentation scheduled with first BR pilot.
GDPR European Union Not yet operating The architecture supports data minimization, storage limitation and integrity at a level that materially exceeds the GDPR baseline. We have not appointed an EU representative, and we will not represent ourselves as GDPR-aligned until we engage one. We do not currently serve EU-resident data subjects.
SOC 2 Type I Trust Services In progress · target Q3 2026 Auditor selected (Drata-track). Control implementation underway. Type II observation window planned to begin Q4 2026. Trust report will be made available under NDA on request once Type I is issued.
ISO 27001 International Not started On the roadmap conditional on enterprise demand. We will commit to a timeline once a customer requires it as a precondition to contracting.
02 — Technical controls

What is actually in the system today.

Controls below are implemented in the production codepath. Audit on request.

ControlStatusImplementation
Encryption in transitshippedTLS 1.3 enforced on all surfaces. HSTS with 1-year max-age. Certificate pinning planned for mobile clients.
Encryption at restshippedAES-256 GCM for audio blobs, PostgreSQL TDE for structured PHI. Per-tenant key derivation; cross-tenant data access is structurally prevented.
Cryptographic audit logshippedPer-utterance log entries signed by orchestrator hardware key. RFC 3161 timestamping at session close. Append-only; modification is detectable by signature verification. Log is portable: tenant can demand and receive complete log in independently verifiable form.
Verifier-rejection loggingshippedEvery verifier failure is recorded in the audit log with structured reason. Outputs that fail catastrophic verifiers (weight 5) are not silently delivered — they trigger escalation to human interpreter or post-session review.
Access controlshippedRole-based with per-tenant boundaries. Privileged operations require MFA. Production access requires hardware security key (WebAuthn).
Secrets managementshippedHashiCorp Vault. No plain-text credentials in repos, CI variables, or environment files. Periodic rotation of long-lived credentials.
Dependency scanningshippedDependabot enabled. Weekly review. Patch SLA: 7 days for high-severity in production paths.
Penetration testingscheduled Q3 2026External engagement scheduled before SOC 2 Type I issue. Report scope and findings (sanitized) available to enterprise customers under NDA.
Customer-managed keys (BYOK)roadmap Q1 2027Architecture supports per-tenant KMS integration. First enterprise customer requirement will trigger implementation.
Private deployment / single-tenantavailable on contractAvailable as a contracted deployment option. Pricing scales with isolation level. Contact: hello@orquor.com.
03 — Data residency & sub-processors

Where the data physically lives.

Production data residency is configurable by tenant geography. Sub-processor list is exhaustive and updated on this page when it changes.

Sub-processorPurposeData classRegion
AWSCompute, storage, RDS PostgreSQL, S3 audio blobsPHI, audit logssa-east-1 (São Paulo) for LATAM; us-east-1 (Virginia) for US customers; tenant choice
CloudflareDNS, edge TLS termination, DDoS, WAFMetadata onlyGlobal edge
HashiCorp CloudVault secrets managementCryptographic secrets onlyus-east-1
OpenTimestampsRFC 3161 timestamping · Bitcoin anchorAudit log hashes only (no PHI)Public blockchain
ResendTransactional emailEmail addresses onlyus-east-1 (no PHI in email)
PlausiblePrivacy-friendly web analytics (no cookies, no PII)Anonymized page views onlyEU (Hetzner DE)
HostingerMarketing site only (this domain). No production PHI.NoneEU
Important · PHI scope clarification

The marketing site at orquor.com never receives, stores, or routes Protected Health Information. PHI is processed only inside the contracted production stack (separate infrastructure described above) on a per-tenant basis after BAA execution. The form submissions on this site collect only name, email, organization and message — never PHI.

04 — Vulnerability disclosure

If you found something, we want to know.

Scope. Any host in orquor.com, the production Orquor Clinical orchestration endpoints (URLs disclosed to participating researchers under NDA), and the public Hermes repository at github.com/orquor.

How to report. Send a PGP-encrypted report to security@orquor.com. PGP key available on request and at orquor.com/.well-known/security.txt. Plain email is accepted but discouraged for sensitive findings.

What you get. Acknowledgment within 48 business hours. Triage within 5 business days. Resolution timeline communicated within 10 business days. Public credit on this page upon your request after remediation. Monetary bounty is not currently funded; this is a private good-faith disclosure program until a structured program launches alongside SOC 2 Type I.

Safe harbor. Good-faith research under this policy will not be referred to law enforcement and we will not pursue civil action. Out-of-scope: social engineering, physical attacks, DDoS, untested third-party dependencies.

security@orquor.com

Direct line to the founder and the engineering on-call. Read every day.

SLA · ack 48h · triage 5d · resolve target 30d

Send a report →
05 — Documents

Available on request.

All documents below exist as drafts reviewed by counsel. They are shared under NDA or made available at contracting. We do not publish executable contract text on a marketing page.

HIPAA Business Associate Agreement

Template prepared for negotiation with US covered entities. Reviewed by US-licensed counsel. Provided at pilot signature.

Version 2026-05 · PDF on request

Request →

Clinical Service Level Agreement

Uptime, latency p95/p99, verifier-pass-rate guarantees, credit policy. Tiered by deployment model.

Version 2026-05 · PDF on request

Request →

Privacy Policy (Ley 29733)

Peruvian data protection notice describing data categories, retention, subject rights and the National Authority filing.

Public · Spanish · PDF

Request →

Cookie Policy (marketing site)

orquor.com uses no analytics cookies and no tracking cookies. Plausible is cookieless. Policy text below.

Public · PDF on request

Request →

Terms of Service (B2B)

Standard B2B SaaS terms with healthcare-specific carve-outs for PHI handling and audit log custody.

Version 2026-05 · PDF on request

Request →

Sub-processor change notification

Customers receive 30-day notice before any change to the sub-processor list above. Subscribe to the changelog feed.

RSS at /security/subprocessors.rss (publishing soon)

Subscribe →