SECURITY_TRUST

Security isn't a section of Oriole. It's the architecture.

High-stakes assessment lives or dies on whether a result can be defended. Every layer of Oriole is designed to be encrypted, access-controlled and recorded.

ORL_SECURITY

We take security seriously.

Architected for integrity

Encryption, identity, access and evidence are designed together — never bolted on after the fact.

Encrypted end to end

TLS 1.3 in transit, AES-256 at rest and per-tenant key isolation — one tenant can never reach another.

Audited & compliant

SOC 2 Type II and ISO 27001 aligned, with GDPR and FERPA-ready handling and DPAs on request.

DEFENCE_IN_DEPTH

Four layers, one continuous audit trail

From the network edge to the data store, controls are layered so that no single failure compromises an examination — and everything that happens is logged.

01Edge

WAF & DDoSTLS 1.3Rate limiting

02Identity

SSO / SAMLMFASCIM provisioning

03Application

RBACLockdown deliveryIntegrity engine

04Data

AES-256 at restPer-tenant keysImmutable audit log

Every layer logs to an append-only, exportable audit trail.

SECURITY_DOMAINS

Controls across every domain

A complete control set, owned and operated — not bolted on.

Data security

AES-256 at rest, TLS 1.3 in transit, per-tenant key isolation and field-level encryption for sensitive candidate data.

Infrastructure

Hardened, multi-region cloud with isolated environments, infrastructure-as-code and continuous configuration scanning.

Monitoring

Continuous security monitoring, anomaly detection and 24/7 alerting routed to an on-call response team.

Encryption

Keys managed in an HSM-backed service with rotation, and cryptographic separation between tenants.

Compliance

SOC 2 Type II and ISO 27001 aligned, with GDPR and FERPA data-handling and DPA support.

Access controls

Least-privilege RBAC, enforced MFA for staff, SSO/SAML, SCIM provisioning and just-in-time elevation.

Audit trails

Append-only, tamper-evident logs of every privileged action, exportable for inquiry and appeal.

Disaster recovery

Automated multi-region failover with a recovery objective under 15 minutes and seconds-level data loss target.

Business continuity

Tested continuity plans, redundant delivery paths and offline exam resilience for low-connectivity sites.

Threat protection

WAF, DDoS mitigation, dependency scanning, penetration testing and a coordinated vulnerability disclosure programme.

Aligned & certified: SOC 2 Type II ISO 27001 GDPR FERPA WCAG 2.1 AA

AUDIT_TRAILS

Every action, recorded and exportable

When a result is challenged, you don't reconstruct what happened — you produce it. Oriole writes a tamper-evident record of every privileged action.

audit-log · append-only

09:14:02examiner@meridian.edu — Published exam blueprint → PHARM-II-2026

09:22:47system — Identity verified → 2,847 candidates

10:03:19proctor@meridian.edu — Routed integrity flag → C-48217

10:41:55registrar@meridian.edu — Exported results package → Autumn Series 2026

Request our security documentation

We'll share our security overview, architecture detail, sub-processor list and a Data Processing Agreement for your review.

Request security pack Contact security team