Trust Center

Trust, proven - not promised.

Security a CISO can check, not adjectives. Below are the concrete, verifiable controls behind OrthID - how data is isolated, where it lives, and how every change is sealed.

Book a demo Read the docs

Architecture

Two planes, isolated by design - and it fails closed.

The data plane enforces; the control plane reflects. If a check can't run, access is denied - not waved through.

Data-plane / control-plane split

Policy decisions and credential issuance live in the data plane and are enforced server-side. The console only reflects what the data plane already decided - a compromised UI can’t grant access.

Fail-closed by default

When a policy, token check, or downstream dependency can’t be evaluated, the request is denied. Degraded never means open.

Tenant isolation

Every row carries its tenant. Postgres row-level security and scoped, short-lived tokens keep tenants provably apart - isolation is enforced in the database, not just the application.

Sovereignty

Your data, your region, your keys.

Sovereignty isn’t a setting we toggle for you - it’s the default. Run it yourself, pin it to a region, and hold the keys.

Region & residency

Pin where identity data is stored and processed. Each sovereign cell runs in your chosen region - data doesn't cross a border you didn't choose.

Self-host / open core

Run the open core on your own infrastructure, or have us operate a managed cell. Same code, your perimeter.

BYOK via Vault / KMS / HSM

Bring your own keys through HashiCorp Vault, a cloud KMS, or an HSM. Encryption keys stay under your custody - we never hold the master.

Audit

One immutable entry per change - and you can prove it.

Every action that touches identity is recorded once, hash-chained to the entry before it. Tamper with a record and the chain breaks - visibly.

Tamper-evident, hash-chained - each entry seals the hash of the previous one, so any edit or deletion is detectable.

One immutable entry per change - append-only - records are never updated in place or silently removed.

Exportable to your SIEM - stream or export the full trail as CSV or JSON for retention and forensics.

Who, what, when, from where - actor, action, target, time and source - including impersonation, with the operator named.

Identity assurance

Phishing-resistant by default, revocable in seconds.

Strong credentials are the baseline. When something changes, you can cut access immediately - no waiting on a ticket.

FIDO2 / passkeys

Passkeys are the default credential - phishing-resistant, biometric, and bound to the device. No shared secret to leak on a ward.

MFA enforcement

Require step-up by policy - per tenant, role, or risk signal. MFA is enforced server-side, not suggested in the UI.

Session revocation

See active sessions and devices, set inactivity windows, and revoke a session the moment a badge is handed back.

Compliance

Mapped to the frameworks your review already uses.

OrthID is built to the controls behind these standards. Where reports and evidence exist, we link them in the Trust Center for your review under NDA.

SOC 2HIPAAISO 27001GDPRIRAP

SOC 2 · HIPAA · ISO 27001 · GDPR · IRAP - status: in progress. [verify before publish] · request current scope and evidence under NDA.

Request evidence under NDA

Data handling

We log what happened - never the patient.

Minimise by default. The re-identification map stays in sovereign storage, and logs carry events, not payloads.

Payload-free logging - audit and telemetry record the event, not protected health information or message bodies.

Re-ID map never leaves sovereign storage - the link between pseudonym and patient stays inside your region and your keys - it is never exported.

Retention limits - data is kept only as long as configured, then expires automatically - no indefinite default.

Least data, scoped access - agents and services see only the fields their task requires, for only as long as the task runs.

Operations

The rest of what your review will ask for.

Responsible disclosure

We welcome reports from security researchers and respond on a clear timeline. See the policy and contact in our docs.

Sub-processors

A current, versioned list of the providers we rely on and what each processes - available for your review under NDA.

Status

Live availability and incident history. View status.

Bring this to your security review.

Walk your team through the architecture, residency model, and evidence - we'll answer the hard questions live.

Book a demo Read the docs