Trust Center

Operational Trust

Vorantiq is the operational substrate for coordinated intelligence infrastructure. This is the consolidated, evidence-cited view of the platform’s security, reliability, governance, privacy, and AI-safety posture. No claim without a source. No certification we do not hold.

Canonical documents

Each section below summarizes a markdown document in the repository. The repository is the source of truth; these pages are navigational.

Architecture

The seven planes that make up the operating environment.

System Status

Per-plane operational posture, active conditions, and incident communication doctrine.

Observability

Runtime telemetry posture — what is wired, what is scaffolded, what is intentionally not enabled.

Integrations

External-system boundaries with explicit trust, ownership, failure-domain, and rollback posture.

Changelog

Reverse-chronological record of operational and governance changes, evidence-linked.

Responsible AI

Provider transparency, customer controls, safety controls, autonomy posture.

Reliability

SLO architecture, incident communication doctrine, DR posture.

Legal & DPA

Data Processing Agreement template, procurement onboarding, responsibility boundaries.

Security architecture

Per-plane control enumeration with file:line evidence. Honest gaps named.

Data handling

Categories, encryption, residency, retention, right-to-erasure procedure.

Governance

Plane-aligned ownership, change governance, audit-chain integrity.

Procurement Q&A

Twelve sections of pre-answered standard CISO questionnaire.

Where we are in our security maturity

Strong

Session security (refresh-token replay defense per RFC 6819), CSRF, rate limiting on auth surfaces, tenant isolation, Stripe webhook integrity, immutable hash-chained audit schema.

Foundational

Per-request correlation IDs, vendor-neutral OpenTelemetry adapter, security disclosure policy, plane-aligned CODEOWNERS, governance and activation runbooks, automated dependency updates.

Pending

SOC 2 Type II preparation (no audit underway), branch protection on main, CODEOWNERS team activation, production database identity verification (active Production-Safety Stop).

Not yet started

SOC 2 Type II audit, HIPAA controls, FedRAMP, ISO 27001, multi-region data residency.

How to engage

  • General security: security@vorantiq.dev — see SECURITY.md for SLAs.
  • Privacy / data rights: privacy@vorantiq.dev.
  • Legal / contracts: legal@vorantiq.dev.
  • Active vulnerability: see /.well-known/security.txt then email security@vorantiq.dev per the disclosure policy.

Every claim links to the source file, the implementation commit, the design document, or the runbook that backs it. Every gap is named explicitly with its status — same legend as docs/STATUS.md.