Built for private, sovereign AI you can trust with real data.
Oction deploys AI for regulated, mid-market organizations. This page is our live view of how we protect client data and where we stand on the frameworks our clients rely on.
Compliance status
An honest snapshot. We show what is in place and what is in progress, and we do not claim a certification before it is earned.
SOC 2 Type II
Controls implemented; formal observation window and independent CPA audit underway. Report available under NDA once issued.
HIPAA
Security, Privacy, and Breach Notification safeguards in place; Business Associate Agreements available for covered engagements.
PIPEDA / PHIPA
Canadian privacy and health-information practices applied as our operating baseline for all client data.
What is in place today
Controls we operate now, independent of any certificate.
Encryption everywhere
Data encrypted in transit and at rest across every layer of the platform.
Per-client isolation
Each client's data lives in its own isolated partition. No pooling, no cross-client access.
De-identification
Personal and health identifiers are removed before data is stored or used, shrinking regulated exposure.
Change-controlled deploys
Every release passes a documented pre-deploy gate with a signed record. No unreviewed changes reach production.
Continuous monitoring
Automated, independent checks audit our systems against policy on a schedule and alert on any drift.
Tested backups
Encrypted, off-site backups with regularly tested restores.
Subprocessors
The vendors we rely on, what they do, and their data-protection status.
| Subprocessor | Purpose | Region | Data agreement |
|---|---|---|---|
| Anthropic | Large language model inference | North America | BAA / DPA for covered engagements |
| Cloudflare | Edge hosting, network security, storage | Global edge | BAA / DPA available |
How we handle data
Data minimization
- Collect only what a deployment needs
- De-identify before storage wherever possible
- Isolated, per-client storage
- Defined retention and deletion
Access & accountability
- Least-privilege access, reviewed on a schedule
- Audit logging across the platform
- Documented incident and breach response
- Named security and privacy ownership
Request our security documentation
SOC 2 report (once issued), BAA, security whitepaper, and subprocessor details are available to clients and prospects under NDA.
Contact us