Trust Center
Security & Compliance

Built for private, sovereign AI you can trust with real data.

Oction deploys AI for regulated, mid-market organizations. This page is our live view of how we protect client data and where we stand on the frameworks our clients rely on.

Compliance status

An honest snapshot. We show what is in place and what is in progress, and we do not claim a certification before it is earned.

In progress

SOC 2 Type II

Controls implemented; formal observation window and independent CPA audit underway. Report available under NDA once issued.

Aligning

HIPAA

Security, Privacy, and Breach Notification safeguards in place; Business Associate Agreements available for covered engagements.

Baseline

PIPEDA / PHIPA

Canadian privacy and health-information practices applied as our operating baseline for all client data.

What is in place today

Controls we operate now, independent of any certificate.

Live

Encryption everywhere

Data encrypted in transit and at rest across every layer of the platform.

Live

Per-client isolation

Each client's data lives in its own isolated partition. No pooling, no cross-client access.

Live

De-identification

Personal and health identifiers are removed before data is stored or used, shrinking regulated exposure.

Live

Change-controlled deploys

Every release passes a documented pre-deploy gate with a signed record. No unreviewed changes reach production.

Live

Continuous monitoring

Automated, independent checks audit our systems against policy on a schedule and alert on any drift.

Live

Tested backups

Encrypted, off-site backups with regularly tested restores.

Subprocessors

The vendors we rely on, what they do, and their data-protection status.

SubprocessorPurposeRegionData agreement
AnthropicLarge language model inferenceNorth America BAA / DPA for covered engagements
CloudflareEdge hosting, network security, storageGlobal edge BAA / DPA available
Model calls are routed through a controlled internal gateway. We do not send client data to consumer AI services, and we do not train third-party models on client data.

How we handle data

Data minimization

  • Collect only what a deployment needs
  • De-identify before storage wherever possible
  • Isolated, per-client storage
  • Defined retention and deletion

Access & accountability

  • Least-privilege access, reviewed on a schedule
  • Audit logging across the platform
  • Documented incident and breach response
  • Named security and privacy ownership

Request our security documentation

SOC 2 report (once issued), BAA, security whitepaper, and subprocessor details are available to clients and prospects under NDA.

Contact us