Trust & Security

Trust Center

Security, compliance, and transparency built into every layer of IOA Cloud

SOC 2
In Progress
ISO 27001
In Progress
100%
Transparency

Security Posture

Infrastructure Security

  • AWS infrastructure (SOC 2 Type II, ISO 27001)
  • End-to-end TLS 1.3 encryption
  • At-rest encryption (AES-256)
  • WAF & DDoS protection (Cloudflare)
  • Regular penetration testing

Data Protection

  • Zero-knowledge architecture for prompts
  • Customer-controlled encryption keys (BYO-KMS)
  • Cryptographically signed evidence bundles
  • Immutable audit logs (Sigstore)
  • GDPR-compliant data processing

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • SSO integration (Okta, Azure AD, Google)
  • SCIM provisioning (Enterprise)
  • Audit logging for all access events

Compliance & Certifications

SOC 2 Type II

In Progress Expected: Q2 2025

Security, availability, and confidentiality controls audit in progress.

ISO 27001

In Progress Expected: Q3 2025

Information security management system certification underway.

ISO/IEC 42001

Planned Expected: Q3 2025

AI management system standard compliance in planning phase.

GDPR Compliant

Active

Full GDPR compliance with DPA agreements available. EU data residency supported.

View GDPR details →

Data Residency & Sovereignty

Choose where your evidence bundles and audit logs are stored. All data remains in your selected region.

US

United States

AWS US-East-1 (Virginia)

  • Default region for Scale tier
  • SOC 2 Type II certified
  • FedRAMP Moderate (planned)
EU

European Union

AWS EU-Central-1 (Frankfurt)

  • GDPR-compliant storage
  • DPA agreements available
  • ISO 27001 certified
APAC

Asia-Pacific

AWS AP-Southeast-1 (Singapore)

  • Preparing regulatory sandbox applications
  • PDPA-compliant
  • Low-latency for APAC customers
Trust tier: Custom data residency options available (UK, Canada, Australia, Japan). Contact sales →

Sub-Processors & Third-Party Services

IOA Cloud uses the following trusted sub-processors. We maintain strict data processing agreements with all vendors.

Vendor Service Data Type Location
Amazon Web Services Cloud infrastructure, storage Evidence bundles, audit logs US, EU, APAC
Cloudflare CDN, WAF, DDoS protection HTTP headers, IP addresses (anonymized) Global
Sigstore Certificate transparency, signing Evidence bundle signatures (public) Global
Stripe Payment processing Billing information US
PostHog Product analytics (optional) Anonymized usage metrics EU
BYO-LLM Note: Your LLM provider (OpenAI, Anthropic, etc.) processes prompts directly with your API keys. IOA never sees prompt contents, only anonymized metadata (length, latency).

Security Practices & Incident Response

Vulnerability Management

  • Regular security audits (quarterly)
  • Automated dependency scanning
  • Bug bounty program (launching Q2 2025)
  • Responsible disclosure policy
Report a vulnerability →

Incident Response

  • 24/7 security monitoring
  • < 1 hour incident detection (P0)
  • < 4 hour customer notification (security)
  • Post-incident reports published
Status page →

Employee Security

  • Background checks for all employees
  • Security training (quarterly)
  • Least-privilege access principles
  • Hardware security keys (YubiKey)

Transparency & Reporting

Uptime & Performance

99.9% Uptime (30 days)
450ms P95 Latency
Live status →

Security Incidents

0 Data breaches (all time)
0 Security incidents (2025)

Last updated: January 28, 2025

Open Source

100% IOA Core (Apache 2.0)

Audit our code on GitHub

View source →

Questions about security or compliance?

Our security team is here to help with audits, questionnaires, and custom compliance requirements.

Contact Security Team security@orchintel.com