Security Policy & Trust Center

Orno maintains a formal information security governance program overseen by executive leadership. Our security posture is guided by a risk-based approach aligned with the NIST Cybersecurity Framework (CSF) and informed by ISO/IEC 27001:2022 control objectives. Key governance elements include:

1. Executive accountability for security decisions at the C-suite level, with quarterly security reviews presented to the leadership team;
2. Documented information security policies covering all domains described herein, reviewed and updated no less than annually;
3. A designated security function responsible for policy development, risk assessment, incident response coordination, and compliance monitoring;
4. Formal risk assessment processes conducted at least annually, or upon material changes to infrastructure, applications, or business processes;
5. Security awareness training for all personnel upon hire and annually thereafter, with supplemental training for personnel in elevated-risk roles.

Orno is actively investing in formal compliance certifications to meet the expectations of enterprise Brand Partners and demonstrate our commitment to industry-leading security practices. Our current compliance posture and roadmap are as follows:

Orno classifies all data assets according to a four-tier classification scheme that determines handling requirements, access controls, encryption standards, and retention policies:

Orno implements encryption controls to protect data at rest and in transit, utilizing industry-standard algorithms and key management practices:

Orno implements a comprehensive access control program based on the principles of least privilege and need-to-know, incorporating the following measures:

1. Role-Based Access Control (RBAC): All system access is provisioned based on predefined roles aligned with job function. Roles are reviewed quarterly and adjusted upon personnel changes (transfers, promotions, terminations);
2. Multi-Factor Authentication (MFA): MFA is mandatory for all personnel accessing production systems, administrative consoles, cloud management interfaces, and the Partner Portal. We support TOTP, FIDO2/WebAuthn hardware keys, and push-based authentication;
3. Single Sign-On (SSO): Enterprise SSO is implemented for internal applications using SAML 2.0 or OpenID Connect (OIDC) protocols, enabling centralized authentication and session management;
4. Privileged Access Management: Administrative and elevated privileges are provisioned through just-in-time (JIT) access workflows with mandatory approval, time-bounded sessions, and comprehensive audit logging;
5. Access Reviews: Formal access reviews are conducted quarterly for all systems containing Restricted or Confidential data, with immediate revocation of unnecessary privileges;
6. Password Policy: Where passwords are used, minimum requirements include 14+ characters, complexity requirements, breach-database screening, and prohibition of password reuse for the previous 24 entries.

Orno’s network architecture is designed with defense-in-depth principles to minimize attack surface and contain potential breaches:

1. Network segmentation isolates production, staging, development, and management environments with distinct security zones and firewall rules;
2. Web Application Firewall (WAF) protection deployed at the edge to filter malicious traffic, block common attack patterns (OWASP Top 10), and rate-limit requests;
3. DDoS mitigation through cloud-native protection services with automatic traffic scrubbing and geographic distribution;
4. Intrusion Detection/Prevention Systems (IDS/IPS) monitor network traffic for anomalous patterns, known attack signatures, and policy violations;
5. DNS security extensions (DNSSEC) and DNS filtering to prevent cache poisoning and block resolution of known-malicious domains;
6. All administrative access to infrastructure requires VPN or zero-trust network access (ZTNA) with device posture verification.

Security is integrated throughout the software development lifecycle (SDLC) at Orno. Our application security program includes:

1. Static Application Security Testing (SAST): Automated static analysis is integrated into CI/CD pipelines, scanning source code for vulnerabilities (injection flaws, authentication issues, cryptographic weaknesses) before deployment;
2. Dynamic Application Security Testing (DAST): Automated dynamic scanning is performed against staging environments to identify runtime vulnerabilities including XSS, CSRF, SSRF, and authentication/authorization bypass;
3. Software Composition Analysis (SCA): Third-party dependencies and open-source libraries are continuously monitored for known vulnerabilities (CVEs) with automated alerting and remediation workflows;
4. Secure Code Review: All code changes undergo peer review with security-focused review for changes touching authentication, authorization, payment processing, and data handling;
5. OWASP Alignment: Development practices are aligned with the OWASP Application Security Verification Standard (ASVS) Level 2, addressing the OWASP Top 10 and beyond;
6. Input Validation: Strict input validation, output encoding, and parameterized queries are enforced to prevent injection attacks across all application interfaces.

Orno maintains a formal vulnerability management program to identify, assess, prioritize, and remediate security vulnerabilities in a timely manner:

Vulnerability scanning is performed continuously on externally-facing assets and weekly on internal infrastructure. Discovered vulnerabilities are tracked in a centralized registry with assigned owners, target remediation dates, and verification of closure.

Orno engages qualified third-party security firms to conduct penetration testing on a regular cadence:

1. External network penetration testing is conducted at least annually, simulating real-world attack scenarios against internet-facing infrastructure and applications;
2. Web application penetration testing is conducted at least annually and upon significant application changes, covering authentication, authorization, session management, business logic, and API security;
3. Findings are classified by severity, tracked to remediation, and retested to confirm closure;
4. Executive summaries of penetration test results are available to enterprise customers under NDA upon request;
5. Internal red-team exercises or tabletop simulations are conducted as resources permit to test detection and response capabilities.

Orno maintains a documented Incident Response Plan (IRP) based on the NIST SP 800-61 framework, covering preparation, detection, analysis, containment, eradication, recovery, and post-incident review. Key commitments include:

The incident response team is available 24/7 via escalation procedures. All incidents are documented, classified by severity, and subject to formal post-mortem analysis to identify systemic improvements. Lessons learned are incorporated into security controls and training programs.

Orno maintains business continuity and disaster recovery capabilities to ensure service availability and data durability:

1. Automated database backups performed daily with point-in-time recovery capability, stored in geographically separate regions with encryption at rest;
2. Recovery Point Objective (RPO) of 24 hours or less for critical systems; Recovery Time Objective (RTO) of 4 hours for critical services;
3. Infrastructure deployed across multiple availability zones with automatic failover for high-availability components;
4. Disaster recovery procedures tested at least annually through tabletop exercises or controlled failover drills;
5. Business continuity plan covering personnel continuity, communication protocols, and alternate operational procedures.

Orno implements personnel security controls to ensure that individuals with access to sensitive systems and data are trustworthy and properly trained:

1. Background checks conducted for all personnel with access to Restricted or Confidential data, subject to applicable law;
2. Confidentiality and non-disclosure agreements executed by all personnel prior to access provisioning;
3. Security awareness training upon hire covering phishing recognition, social engineering, data handling, incident reporting, and acceptable use policies;
4. Annual refresher training with acknowledgment for all personnel;
5. Prompt access revocation upon termination, resignation, or role change, with exit procedures including equipment return and access decommissioning within 24 hours;
6. Clear desk and clear screen policies for personnel handling Restricted data.

Orno’s production infrastructure is hosted with enterprise-grade cloud service providers that maintain industry-leading physical security certifications (SOC 2 Type II, ISO 27001, PCI DSS Level 1). Physical security of cloud data centers is the responsibility of the cloud service provider and includes:

1. 24/7 physical monitoring with CCTV, intrusion detection, and security personnel;
2. Multi-factor physical access controls (biometric, badge, PIN) with visitor logging;
3. Environmental controls including fire suppression, climate management, and power redundancy (UPS, generators);
4. Hardware decommissioning procedures including cryptographic erasure and physical destruction of storage media.

Orno does not operate on-premises data centers. All production workloads are hosted in SOC 2-certified cloud environments. Corporate offices employ standard physical security measures including controlled access, visitor registration, and secure disposal of physical documents containing sensitive information.

Orno maintains a vendor risk management program to ensure that third-party service providers maintain security standards consistent with our own obligations:

1. Security assessments conducted prior to vendor engagement, including review of SOC 2 reports, penetration test summaries, and security questionnaire responses;
2. Data Processing Agreements (DPAs) executed with all vendors processing personal data on behalf of Orno or our customers;
3. Contractual requirements for breach notification, audit rights, data return/deletion, and compliance with applicable data protection laws;
4. Annual vendor reassessment for critical and high-risk vendors based on data sensitivity, integration depth, and business impact;
5. Vendor access limited to minimum necessary systems and data, with dedicated service accounts, audit logging, and periodic access review;
6. Vendor inventory maintained with risk classification, data types processed, geographic locations, and contract renewal dates.

Orno welcomes responsible security research and is committed to working with security researchers who identify vulnerabilities in our systems. Our responsible disclosure policy operates as follows:

Orno commits to: (i) acknowledge receipt of vulnerability reports within 48 hours; (ii) provide an initial assessment within 7 business days; (iii) keep reporters informed of remediation progress; and (iv) credit researchers (with consent) upon public disclosure. We will not pursue legal action against researchers who comply with this policy in good faith.

Scope: All Orno-owned domains (*.orno.io), the Partner Portal application, and associated API endpoints are in scope. Third-party services, social media accounts, and physical offices are out of scope.

For security inquiries, vulnerability reports, compliance documentation requests, or vendor security questionnaires, please contact:

This Security Policy is provided for informational purposes and represents Orno’s current security practices as of the date published. Security controls are continuously evolving and may be updated without prior notice. This document does not create any contractual obligation beyond those contained in executed agreements between Orno and its customers.