Healthcare buyers need to know exactly what protections exist today, what is on a documented timeline, and where the line is between shipped and aspirational. This page is the source of truth. It is updated as posture changes.
We design ACTO to meet the documentation requirements of the regulations that govern healthcare data in our operating geographies. We do not claim certifications we have not earned. Where alignment is incomplete, we say so.
| Framework | Geography | Status | What it actually means |
|---|---|---|---|
| HIPAA | United States | BAA ready | Business Associate Agreement template prepared and reviewed by US-licensed counsel pending signature. Available to any covered entity initiating a pilot. Audit log primitive satisfies 45 CFR § 164.312(b)(c). HIPAA Security Rule control mapping is documented internally and can be shared under NDA. |
| Ley 29733 | Peru | Aligned | Architecture supports data-subject rights under Articles 18–26 (access, rectification, opposition to processing). Audit log facilitates reporting to the National Authority for Personal Data Protection. Registry filing in process. |
| LGPD | Brazil | Roadmap Q4 2026 | Architecture supports portability (Art. 18, V) and explicit consent at session initiation. Brazilian counsel engagement and ANPD-aligned documentation scheduled with first BR pilot. |
| GDPR | European Union | Not yet operating | The architecture supports data minimization, storage limitation and integrity at a level that materially exceeds the GDPR baseline. We have not appointed an EU representative, and we will not represent ourselves as GDPR-aligned until we engage one. We do not currently serve EU-resident data subjects. |
| SOC 2 Type I | Trust Services | In progress · target Q3 2026 | Auditor selected (Drata-track). Control implementation underway. Type II observation window planned to begin Q4 2026. Trust report will be made available under NDA on request once Type I is issued. |
| ISO 27001 | International | Not started | On the roadmap conditional on enterprise demand. We will commit to a timeline once a customer requires it as a precondition to contracting. |
Controls below are implemented in the production codepath. Audit on request.
| Control | Status | Implementation |
|---|---|---|
| Encryption in transit | shipped | TLS 1.3 enforced on all surfaces. HSTS with 1-year max-age. Certificate pinning planned for mobile clients. |
| Encryption at rest | shipped | AES-256 GCM for audio blobs, PostgreSQL TDE for structured PHI. Per-tenant key derivation; cross-tenant data access is structurally prevented. |
| Cryptographic audit log | shipped | Per-utterance log entries signed by orchestrator hardware key. RFC 3161 timestamping at session close. Append-only; modification is detectable by signature verification. Log is portable: tenant can demand and receive complete log in independently verifiable form. |
| Verifier-rejection logging | shipped | Every verifier failure is recorded in the audit log with structured reason. Outputs that fail catastrophic verifiers (weight 5) are not silently delivered — they trigger escalation to human interpreter or post-session review. |
| Access control | shipped | Role-based with per-tenant boundaries. Privileged operations require MFA. Production access requires hardware security key (WebAuthn). |
| Secrets management | shipped | HashiCorp Vault. No plain-text credentials in repos, CI variables, or environment files. Periodic rotation of long-lived credentials. |
| Dependency scanning | shipped | Dependabot enabled. Weekly review. Patch SLA: 7 days for high-severity in production paths. |
| Penetration testing | scheduled Q3 2026 | External engagement scheduled before SOC 2 Type I issue. Report scope and findings (sanitized) available to enterprise customers under NDA. |
| Customer-managed keys (BYOK) | roadmap Q1 2027 | Architecture supports per-tenant KMS integration. First enterprise customer requirement will trigger implementation. |
| Private deployment / single-tenant | available on contract | Available as a contracted deployment option. Pricing scales with isolation level. Contact: hello@orquor.com. |
Production data residency is configurable by tenant geography. Sub-processor list is exhaustive and updated on this page when it changes.
| Sub-processor | Purpose | Data class | Region |
|---|---|---|---|
| AWS | Compute, storage, RDS PostgreSQL, S3 audio blobs | PHI, audit logs | sa-east-1 (São Paulo) for LATAM; us-east-1 (Virginia) for US customers; tenant choice |
| Cloudflare | DNS, edge TLS termination, DDoS, WAF | Metadata only | Global edge |
| HashiCorp Cloud | Vault secrets management | Cryptographic secrets only | us-east-1 |
| OpenTimestamps | RFC 3161 timestamping · Bitcoin anchor | Audit log hashes only (no PHI) | Public blockchain |
| Resend | Transactional email | Email addresses only | us-east-1 (no PHI in email) |
| Plausible | Privacy-friendly web analytics (no cookies, no PII) | Anonymized page views only | EU (Hetzner DE) |
| Hostinger | Marketing site only (this domain). No production PHI. | None | EU |
The marketing site at orquor.com never receives, stores, or routes Protected Health Information. PHI is processed only inside the contracted production stack (separate infrastructure described above) on a per-tenant basis after BAA execution. The form submissions on this site collect only name, email, organization and message — never PHI.
Scope. Any host in orquor.com, the production Orquor Clinical orchestration endpoints (URLs disclosed to participating researchers under NDA), and the public Hermes repository at github.com/orquor.
How to report. Send a PGP-encrypted report to security@orquor.com. PGP key available on request and at orquor.com/.well-known/security.txt. Plain email is accepted but discouraged for sensitive findings.
What you get. Acknowledgment within 48 business hours. Triage within 5 business days. Resolution timeline communicated within 10 business days. Public credit on this page upon your request after remediation. Monetary bounty is not currently funded; this is a private good-faith disclosure program until a structured program launches alongside SOC 2 Type I.
Safe harbor. Good-faith research under this policy will not be referred to law enforcement and we will not pursue civil action. Out-of-scope: social engineering, physical attacks, DDoS, untested third-party dependencies.
Direct line to the founder and the engineering on-call. Read every day.
Send a report →All documents below exist as drafts reviewed by counsel. They are shared under NDA or made available at contracting. We do not publish executable contract text on a marketing page.
Template prepared for negotiation with US covered entities. Reviewed by US-licensed counsel. Provided at pilot signature.
Request →Uptime, latency p95/p99, verifier-pass-rate guarantees, credit policy. Tiered by deployment model.
Request →Peruvian data protection notice describing data categories, retention, subject rights and the National Authority filing.
Request →orquor.com uses no analytics cookies and no tracking cookies. Plausible is cookieless. Policy text below.
Request →Standard B2B SaaS terms with healthcare-specific carve-outs for PHI handling and audit log custody.
Request →Customers receive 30-day notice before any change to the sub-processor list above. Subscribe to the changelog feed.
Subscribe →