Trust Center

Security, Compliance, and Trust by Design

Operon.Cloud is engineered for regulated industries where verifiable trust matters most. We combine hardened cloud infrastructure, cryptographic integrity, and disciplined operational practices so every interaction is auditable, consent-aware, and privacy aligned.

Summary

  • Built on Google Cloud with defense-in-depth: Cloud Run, VPC Service Controls, Cloud Armor, and centrally managed secrets with hardware-backed keys.
  • Ledger integrity anchored on Hedera Hashgraph, EdDSA signing, and immutable change logs for every transaction and administrative action.
  • Program-level alignment with HIPAA, SOC 2, GDPR, and CMS-0057 mandates through documented controls, gap analyses, and ongoing readiness testing.

Compliance Alignment From Day One

We are in private preview and have not yet completed formal third-party audits. However, our control framework is mapped to leading standards so customers can evaluate readiness with confidence.

  • HIPAA Safeguards: Documented administrative, physical, and technical controls including PHI segregation, audit logging, and breach response runbooks.
  • SOC 2 Control Alignment: Policies and evidence mapped to the Trust Services Criteria (Security, Availability, Confidentiality). Independent audit readiness assessment underway.
  • GDPR & Global Privacy: Data minimization, subject rights workflows, and regional data residency strategies validated with privacy counsel.
  • CMS-0057 Preparedness: Consent-based transaction attestations, immutable audit trails, and payer-provider interoperability patterns ready for mandate adoption.

What We Provide Today

  • Control matrix mapped to HIPAA, SOC 2, GDPR, CMS-0057, and NIST 800-53 baselines.
  • Security architecture diagrams, data flow inventories, and threat models.
  • Policy library covering access management, vulnerability management, and change control.
  • Third-party risk management and supplier review procedures.

Formal audit reports (SOC 2 Type II, HIPAA attestations) are in progress and shared under NDA once available.

Infrastructure Security

  • Dedicated projects per environment with least-privilege IAM and workload identity federation.
  • Cloud Run services isolated in private VPCs with ingress controls and mutual TLS between services.
  • Automated vulnerability scanning, binary authorization policies, and continuous deployment guardrails.

Data Protection

  • All data encrypted in transit (TLS 1.2+) and at rest using Google Cloud KMS with HSM-backed keys.
  • Field-level encryption and tokenization options for PHI, PII, and financial payloads.
  • Ledger entries anchored on Hedera Hashgraph with immutable checksums and secure Merkle proofs.

Application Security

  • Secure SDLC with mandatory peer review, automated SAST/DAST, and dependency monitoring.
  • Role-based access control enforced through policy services, JWT claims, and audit logging.
  • Continuous monitoring via Cloud Logging, Security Command Center, and anomaly detection dashboards.

Privacy & Data Governance

  • Data minimization and retention schedules aligned with customer policies and regulatory expectations.
  • Consent lifecycle management with immutable proofs for access, revocation, and third-party sharing.
  • Tenant isolation controls and customer-managed encryption key options on roadmap.

Operational Excellence

  • 24x7 on-call engineering with documented incident response, severity definitions, and postmortem process.
  • Business continuity plans with multi-region backups, disaster recovery testing, and RPO/RTO objectives.
  • Employee security onboarding, background checks, and annual training covering privacy and secure coding.

Transparency & Reporting

  • Customer portal roadmap includes real-time control evidence, SLA dashboards, and audit log exports.
  • Coordinated vulnerability disclosure program with dedicated response SLAs.
  • Quarterly security and compliance briefings offered to customers and partners.

Need Our Security Packet?

Email security@operon.cloud for detailed documentation, or schedule a briefing with our security and compliance team. Existing customers can open priority tickets through the console for any production concerns.