Tenant isolation
Each customer’s data is logically isolated, with boundaries enforced at the data and application layers.
Security & trust
Sensitive customer data deserves boring, explicit boundaries.
The Brain Engine works with product, usage, billing, support, and CRM context — exactly the kind of evidence your team should not hand to a black box casually. OrthancIQ is designed so every input, derived artifact, and recommendation stays inside a defined tenant boundary.
SOC 2
READY
READY
Controls mapped
SOC 2-ready control set
AES
256
256
Encryption
TLS + AES-256
NO
TRAINING
TRAINING
Model training
Off by default
Security posture
Tenant isolationScoped per tenant
Encryption in transitTLS
Encryption at restAES-256
Audit loggingLogged
Least-privilege accessRBAC + MFA
Training on your dataOff by default
Data deletion on requestSupported
An honest note on claims. OrthancIQ is not claiming a completed SOC 2 certification. We are building against a SOC 2-ready control set and can share current controls, roadmap, architecture notes, and documentation under NDA during your security review.
Controls
Security controls are part of the product, not a slide afterthought.
Encryption
Data is encrypted in transit with TLS and at rest with AES-256, including backups where applicable.
Audit logging
Access and key actions are logged with timestamps and actor identity for review.
Access controls
Role-based access with least-privilege defaults and MFA for internal access.
Data retention
Retention windows for raw inputs and derived artifacts are defined during onboarding.
Deletion on request
You can request deletion of your data and model artifacts. We confirm completion and timelines in writing.
Backups & recovery
Encrypted backups and recovery procedures protect against accidental data loss.
Incident response
A documented incident-response process defines severity, ownership, escalation, and customer notification.
Security review readiness
We support vendor reviews with documentation, questionnaires, and an NDA-backed controls overview.
Data lifecycle
The Brain Engine should explain where the data stops.
Every stage is scoped, encrypted, and logged. Your data builds your Brain Engine model, not a shared cross-customer model.
Ingest
over TLS
Isolate
per tenant
Encrypt
AES-256
Model
tenant-scoped
Retain
defined window
Delete
on request
No shared-model training by default
Your data builds your model. We do not use it to train shared or cross-customer models unless you explicitly opt in, in writing.
Brain Engine artifacts follow your tenant
The value map, signal catalog, and Brain Engine outputs are tied to your tenant and removed with your data on deletion.
For your security team
Need to run vendor review before sending data?
We can support a serious review process with a controls overview, security questionnaire, subprocessor list, incident policy, and architecture summary under NDA.
Controls overview (SOC 2-ready)
Security questionnaire (CAIQ-style)
Subprocessor list
Architecture & data-flow summary
Incident-response policy
Review the boundary before the Brain Engine sees data.
Start with setup access, define the data boundary, then connect sources through a guided call, API stream, or structured export before any Brain Engine dossiers are generated.