Our commitment to security and trust
Oromis is built for compliance-conscious organisations. This page documents our security architecture, data privacy controls, regulatory alignment, and how enterprise buyers can access detailed documentation.
Security status
Built with defence in depth
Our security model layers technical controls, operational practices, and third-party infrastructure to protect customer data at every layer.
Encryption at rest & in transit
All customer data is encrypted at rest with AES-256 and in transit over TLS 1.2+. Database backups are encrypted independently. Encryption keys are rotated on a scheduled basis.
Access control & IAM
Role-based access control (RBAC) is enforced throughout the platform. Principle of least privilege is applied to all internal systems. MFA is required for all admin-level accounts.
Continuous monitoring
Infrastructure and application events are logged to an append-only audit store. Anomaly detection and alerting is configured across all production environments.
Infrastructure isolation
Production workloads are isolated in dedicated cloud environments with network segmentation and restricted egress. No production secrets are present in version control.
Vendor & subprocessor review
All third-party subprocessors handling personal data are reviewed for security posture prior to onboarding. Data Processing Agreements (DPAs) are in place with all subprocessors.
Vulnerability management
Dependencies are scanned on every build and pull request. Critical CVEs are patched within 72 hours. A responsible disclosure program is maintained.
Regulatory alignment by design
Oromis processes personal data on behalf of our customers. We align our controls to the most demanding regulatory standards to support your compliance obligations wherever you operate.
EU General Data Protection Regulation
We process EU personal data as a data processor and support our customers acting as data controllers. Our privacy architecture is designed to facilitate GDPR compliance obligations.
- Data Processing Agreements available for all customers
- Data subject access request (DSAR) workflow built into platform
- Right to erasure — account deletion removes all personal data within 30 days
HIPAA-Adjacent Controls
While Oromis is not a covered entity under HIPAA, our compliance and LMS modules may be deployed in healthcare-adjacent environments. We apply HIPAA-informed controls as a baseline standard.
- Access logging for all data access events meeting HIPAA audit requirements
- Role-based access restricts PHI-adjacent data to authorised users only
- Data encryption at rest and in transit meets HIPAA Technical Safeguard standards
South African POPIA
As a South Africa-based operation, Oromis is subject to POPIA. We implement controls aligned with its requirements as our baseline privacy standard for all data subjects, regardless of geography.
- Controls aligned with the eight conditions for lawful processing
- Consent mechanisms implemented at all data collection points
- Information Officer designated and contactable
- Data subject request handling with 30-day response SLA
Immutable, tamper-evident logs
Every user and system action within Oromis is logged to an append-only audit store. Logs are available to platform administrators and can be exported for external SIEM integration.
Append-only storage
Log entries cannot be modified or deleted after creation. Cryptographic chaining detects any tampering attempt. Logs are retained for a minimum of 12 months.
Comprehensive event coverage
Authentication events, data access, configuration changes, user provisioning, policy modifications, and API calls are all captured with full actor, timestamp, and resource context.
Export & SIEM integration
Audit logs are exportable in JSON and CSV formats. Webhook delivery for real-time streaming to external systems (Splunk, Datadog, Microsoft Sentinel, etc.) is available on Professional and Enterprise plans.
Audit-ready reporting
Pre-built audit report templates are available for SOC 2, ISO 27001, and custom frameworks. Generate comprehensive compliance evidence packages with one click.
Need more detail?
We're happy to share detailed security documentation, SOC 2 reports, DPAs, and penetration test results under NDA.
Contact security team