Trust, proven - not promised.
Security a CISO can check, not adjectives. Below are the concrete, verifiable controls behind OrthID - how data is isolated, where it lives, and how every change is sealed.
Two planes, isolated by design - and it fails closed.
The data plane enforces; the control plane reflects. If a check can't run, access is denied - not waved through.
Policy decisions and credential issuance live in the data plane and are enforced server-side. The console only reflects what the data plane already decided - a compromised UI can’t grant access.
When a policy, token check, or downstream dependency can’t be evaluated, the request is denied. Degraded never means open.
Every row carries its tenant. Postgres row-level security and scoped, short-lived tokens keep tenants provably apart - isolation is enforced in the database, not just the application.
Your data, your region, your keys.
Sovereignty isn’t a setting we toggle for you - it’s the default. Run it yourself, pin it to a region, and hold the keys.
Pin where identity data is stored and processed. Each sovereign cell runs in your chosen region - data doesn't cross a border you didn't choose.
Run the open core on your own infrastructure, or have us operate a managed cell. Same code, your perimeter.
Bring your own keys through HashiCorp Vault, a cloud KMS, or an HSM. Encryption keys stay under your custody - we never hold the master.
One immutable entry per change - and you can prove it.
Every action that touches identity is recorded once, hash-chained to the entry before it. Tamper with a record and the chain breaks - visibly.
Phishing-resistant by default, revocable in seconds.
Strong credentials are the baseline. When something changes, you can cut access immediately - no waiting on a ticket.
Passkeys are the default credential - phishing-resistant, biometric, and bound to the device. No shared secret to leak on a ward.
Require step-up by policy - per tenant, role, or risk signal. MFA is enforced server-side, not suggested in the UI.
See active sessions and devices, set inactivity windows, and revoke a session the moment a badge is handed back.
Mapped to the frameworks your review already uses.
OrthID is built to the controls behind these standards. Where reports and evidence exist, we link them in the Trust Center for your review under NDA.
We log what happened - never the patient.
Minimise by default. The re-identification map stays in sovereign storage, and logs carry events, not payloads.
The rest of what your review will ask for.
We welcome reports from security researchers and respond on a clear timeline. See the policy and contact in our docs.
A current, versioned list of the providers we rely on and what each processes - available for your review under NDA.
Live availability and incident history. View status.
Bring this to your security review.
Walk your team through the architecture, residency model, and evidence - we'll answer the hard questions live.