Trust & Compliance

Compliance posture at a glance

SOC 2 Type II — observation period in progress; controls self-attestable today, third-party report in 2026.
HIPAA BAA — auto-eligible on Firm and Enterprise; available on Starter and Team after sales counter-signing. See Business Associate Agreement.
GDPR / UK GDPR DPA — clickwrap on the trust page or counter-signed PDF on request. See Data Processing Agreement.
CCPA — DSAR procedure available via /request-deletion or POST /v1/data/delete-request.
SLA — uptime + support response times by plan. See Service Level Agreement.

Encryption in transit — TLS 1.2+ with HSTS preload (long max-age, includeSubDomains). HTTP/3 enabled.
Encryption at rest — AES-256-GCM on Cloudflare R2 for source documents and on Cloudflare D1 for metadata.
Authentication — JWT-based session cookies (1-hour access, 30-day refresh). TOTP MFA available; required for platform admins. OIDC SSO with JIT provisioning on Firm+ workspaces.
Workspace isolation — every resource (conversion, API key, template, billing event) scoped to a workspace ID. API keys pinned to a workspace.
No model training on customer data — Cloudflare Workers AI does not train on customer prompts. BAA-scope workspaces additionally route through the zero-retention Cloudflare AI Gateway.

Tamper-evident audit trail — every sensitive action logged with user, timestamp, IP, source bytes. Chain-hash on export so any tampering between export and presentation is detectable.
Configurable retention — 1 day to 10 years per workspace; 30-day cancellable hold on every deletion request.
Legal hold — workspace-level flag preempts auto-deletion. Recorded in the audit log.

See /legal/subprocessors for the canonical list, or api.ordalis.io/v1/compliance/subprocessors for the machine-readable feed. 30-day notice before any addition.

Security disclosures: security@ordalis.io. Abuse: abuse@ordalis.io. Procurement / vendor-risk questionnaires (SIG Lite, CAIQ): legal@ordalis.io.