website.documents.printTip
Orizon Security & Trust Posture
Executive Summary
Orizon is a European cybersecurity platform. We build and operate products that help European organisations manage their attack surface, train their workforce, validate their defences, monitor their operations and maintain compliance with NIS2, GDPR, ISO 27001 and adjacent frameworks. This whitepaper describes how we secure the data and systems entrusted to us in the course of delivering those services.
Key commitments
- Customer data is stored and processed exclusively within the European Union under EU data protection law. No customer data leaves the EU at any point in its lifecycle.
- All customer data at rest is protected with strong encryption. All data in transit is protected with modern TLS using current cipher suites. Plain-text transport is not accepted.
- Access to production environments and customer data follows least-privilege and role-based access control. Administrative access requires multi-factor authentication and produces an immutable audit trail.
- A responsible disclosure programme is in place. Good-faith security researchers are protected by an explicit safe-harbour commitment.
- GDPR and NIS2 are fully operational and drive day-to-day decisions. Independent ISO 27001 and SOC 2 attestation is on the public roadmap.
Scope of this document
- This whitepaper is a reference document, not a contractual commitment. Contractual security commitments are captured in your specific order form, terms of service and Data Processing Agreement.
- For operational security reasons, this document does not name specific infrastructure providers, regions, hostnames, network topology or any other detail that would unnecessarily expose attack surface.
- Where practices are still being prepared for independent validation, the document distinguishes between current operational state and roadmap commitments.
Security Philosophy
We hold ourselves to the same standards we help our customers achieve. Orizon sells compliance-grade cybersecurity tooling into regulated European sectors — banking, healthcare, energy, manufacturing, public administration. Selling those tools while operating insecurely would be untenable both commercially and ethically. Our security programme is therefore designed to withstand the scrutiny of the customers most likely to audit it.
Three principles shape every security decision we make. First, European data sovereignty: data belongs to the customer and stays under European jurisdiction. Second, compliance by architecture: controls are built into how the platform works, not bolted on as paperwork. Third, continuous evidence: every security commitment in this document is backed by systems that produce the audit evidence needed to prove it to a regulator.
Security is not a separate department at Orizon. Every engineer is responsible for the security of the code they write, the services they operate and the data they handle. A dedicated security function sets standards, runs assessments and coordinates incident response, but the day-to-day application of security practices is distributed across the engineering organisation.
Any control we recommend to a customer must also apply to us — and any commitment we make in this whitepaper must be verifiable by evidence we can produce on request. If we cannot evidence it, we do not claim it.
Data Residency & European Sovereignty
Orizon was founded on the principle that European cybersecurity requires European infrastructure. Data residency is therefore not a configurable option — it is a foundational commitment. All customer data is processed and stored within the European Union, governed by EU law, and never transmitted to or stored in jurisdictions outside the European Economic Area.
For customers subject to NIS2, national cybersecurity frameworks or sectoral regulators, Orizon's EU-only residency posture typically closes an entire category of risk-assessment questions during vendor onboarding. Specific contractual residency commitments are captured in the Data Processing Agreement on a per-engagement basis.
Sub-processors & Supply Chain
Orizon engages a limited set of sub-processors to deliver its services, all operating under the same EU jurisdiction as Orizon itself. The current sub-processor list is maintained internally and disclosed to customers under NDA on request, or as required by the executed Data Processing Agreement. We deliberately do not publish the full list publicly because doing so would unnecessarily expose attack-surface information to potential adversaries.
Customers with a signed NDA or executed Data Processing Agreement may request the current sub-processor list, including legal entity names, processing purpose and jurisdiction, by contacting [email protected].
Data Security
Encryption at rest
All customer data persisted to storage — including database records, object storage artefacts and backup images — is encrypted at rest using strong, industry-standard symmetric encryption. Encryption is applied at the storage layer so that loss of physical media would not expose customer data in plain text. Specific algorithms and key sizes meet or exceed current NIST and ENISA recommendations.
Encryption in transit
All traffic between customers and the Orizon platform is transported over modern TLS using current, vetted cipher suites. Internal service-to-service traffic is authenticated and, where it crosses network boundaries, encrypted. Plain-text transport is not accepted on any production flow, and HTTP endpoints redirect unconditionally to HTTPS. Cipher suites and protocol versions are reviewed regularly and weak options are deprecated as guidance evolves.
Key management
Cryptographic keys protecting customer data are generated, stored, used and rotated through managed key-management services with hardware-backed protection. Direct human access to raw key material is not part of normal operations. Administrative actions against the key store produce audit records bound to an authenticated identity, and operations are subject to separation of duties.
Backups and retention
Customer data is backed up on a schedule aligned to its criticality. Backups are retained within the same EU jurisdiction as live data, under the same encryption, access controls and integrity checks. Restoration procedures are documented and exercised. Data retention periods are aligned to the commercial agreement and applicable legal obligations; customer data is deleted on termination within the contractually agreed window.
Access Control & Authentication
Role-based access control
Access to Orizon systems and customer data follows the principle of least privilege. Each role has the minimum set of permissions required to perform its function, and access to production environments is strictly separated from development and staging. Role assignments are reviewed when an employee joins, changes role or leaves. Standing access to customer data is minimised; when elevated access is needed, it is requested, time-bound, logged and reviewed.
Multi-factor authentication
Multi-factor authentication is required for every account with access to customer data, production environments, source-code repositories, build pipelines or infrastructure control planes. Phishing-resistant factors are preferred and weak factor types are deprecated as the threat landscape evolves.
Audit logging
Every administrative action against production is recorded in an append-only audit trail bound to an authenticated identity, with the action, target resource and timestamp. Customer-facing actions performed through the platform — queries, exports, report generation — are logged separately and available to customers through the platform's own audit trail.
Orizon supports identity provider integrations including Active Directory and SAML/OIDC single sign-on, so that customers can enforce their own authentication and access policies on the Orizon products they operate. This includes session timeouts, MFA enforcement, device posture checks and conditional access — all governed by the customer identity provider, not by Orizon.
Application Security
Orizon operates a modern software development lifecycle in which security is integrated at every stage, from threat modelling during design to continuous monitoring in production. The practices below describe how we build and operate the software that handles customer data.
Monitoring, Logging & Incident Response
Orizon runs continuous monitoring across its production environment. Security-relevant events are aggregated, correlated and alerted on. The incident response capability is exercised, documented and integrated with the product side of the business — Oversight, our managed SOC offering, gives us a working view of how incident response should function in practice.
Monitoring
Infrastructure, application and security telemetry are collected into a centralised system. Alerts are defined for known patterns of abuse, for anomalies against established baselines, and for indicators aligned with current threat intelligence. Dashboards cover availability, performance and security health across the platform.
Incident response
A written incident response plan defines roles, escalation paths, communication protocols and decision rights during a security incident. The plan is exercised through tabletop walk-throughs at defined intervals. For incidents that reach the threshold of a personal data breach under GDPR or a significant incident under NIS2, the response playbook is aligned with the notification timelines those regulations impose.
Customer notification
If a security incident is confirmed to have compromised customer data, affected customers are notified without undue delay through the contact channels captured in the commercial agreement. Notification content follows a structured format covering what happened, what data was affected, what we are doing about it, and what the customer can do.
Reference notification timeline (customer-facing incidents)
Vulnerability Management & Responsible Disclosure
Vulnerability management at Orizon is a continuous activity rather than a scheduled event. Vulnerabilities are identified through automated tooling, internal security reviews, periodic penetration tests and reports from external researchers. Remediation is prioritised against the risk the vulnerability presents to customers.
Vulnerabilities reach us through dependency scanning, product security testing, infrastructure reviews, customer reports and the responsible disclosure programme.
Each report is acknowledged and assessed for exploitability and impact. Severity follows an industry-standard scheme adapted for the exposure profile of the affected component.
Fixes follow the normal release process, with timelines aligned to severity. Critical issues are expedited. Workarounds or mitigations are deployed where a direct fix cannot be released immediately.
A fix is not considered complete until it has been verified against the original report. Reporters are kept informed throughout the process and credited on publication where they wish to be.
Responsible disclosure programme
Security researchers who discover a vulnerability in an Orizon product or service are encouraged to report it to [email protected]. We acknowledge reports within 48 hours during business days. We do not require a formal contract or non-disclosure agreement to receive a report. We coordinate on publication and credit researchers who wish to be credited.
Orizon will not take legal action against researchers who act in good faith, comply with the responsible disclosure guidelines, do not access more data than is necessary to demonstrate the issue, and do not exfiltrate, publish or destroy customer data. Clear communication and early notification of the Orizon security team is the expected course of action.
Business Continuity & Disaster Recovery
Orizon operates with the expectation that infrastructure failures, regional disruptions and operational incidents are inevitable over long time horizons. The goal of our business continuity and disaster recovery practices is to keep customer-facing services available and customer data recoverable when those events occur.
RPO and RTO targets are defined per product and communicated in the commercial agreement where customers have specific availability requirements. They are not uniform across every product, because the criticality and failure modes of a scanning platform, a SOC service and a training platform are genuinely different.
Compliance Alignment
Orizon operates a platform that helps customers demonstrate compliance. It would be inconsistent to run that platform outside the frameworks it supports. The table below sets out the frameworks most relevant to our customers and our current posture against each. "Operational" means the framework is actively driving decisions today. "Roadmap" means it is being prepared for independent validation.
| Framework | Status | Detail |
|---|---|---|
| GDPR | Operational | EU-only data residency, sub-processor governance, breach notification readiness, data-subject-rights support and records of processing aligned to Article 30 are in place today. |
| NIS2 | Operational | Article 21 measures applied internally — risk assessment, incident handling, supply chain security, encryption, MFA — and we treat our own operations as in-scope to maintain credibility with customers subject to NIS2. |
| ISO 27001 | Roadmap | Internal controls are aligned with the ISO 27001 control set. Independent certification is on our roadmap and will be communicated to customers once achieved. |
| SOC 2 | Roadmap | Trust Services Criteria — Security, Availability, Confidentiality — are tracked internally. Independent attestation is on our roadmap. |
| AI Act | Operational | Orizon AI, our sovereign GenAI product, is classified and documented against the EU AI Act risk framework. On-premise deployment removes cross-border AI concerns for customers. |
Third-Party Risk Management
Orizon applies to its own supply chain the same scrutiny NIS2 requires in-scope customers to apply to theirs. Third parties that process customer data or run on the critical path of production services are subject to assessment before engagement and at defined intervals thereafter.
- Security-relevant vendors are identified and inventoried internally. The inventory distinguishes between sub-processors that touch customer data and operational suppliers that do not.
- Sub-processors undergo a pre-onboarding review covering security posture, data protection commitments, incident notification obligations and EU-residency alignment.
- Contracts with sub-processors incorporate security requirements: encryption, access control, audit rights where appropriate, and obligations to notify Orizon of relevant incidents.
- Material changes to a sub-processor's posture — acquisition, security incident, loss of key personnel, change of jurisdiction — trigger a re-assessment.
- Sub-processor changes are communicated to customers in accordance with the commercial agreement. The current list is disclosed under NDA or as part of the executed Data Processing Agreement.
- Orizon maintains the ability to replace any sub-processor without unreasonable delay if a material security or legal concern arises.
Contact & Escalation
This whitepaper is intended to answer the questions most security reviewers ask during vendor onboarding. Questions it does not answer — or commitments specific to your engagement — can be addressed directly with the Orizon security or compliance team. We welcome early engagement during procurement.
This document is reviewed at least annually and updated whenever a material change occurs. Version history is maintained internally; the current version number and publication date are shown on the cover.
Nothing in this whitepaper constitutes a contractual commitment. Contractual commitments are established through the order form, terms of service and — where applicable — a Data Processing Agreement executed between Orizon and the customer. Where this whitepaper and the commercial agreement diverge, the commercial agreement governs.
[email protected] · [email protected] · orizon.one/security