What we guarantee, how we prove it.

OraData is the single interlocutor between buyers (AI companies) and producers (field contributors, annotators, credentialed experts). Neither side ever learns the identity of the other. We pay each subject directly at capture and acquire the rights outright — written consent + video attestation + verified ID. The asset we resell is contractually uncontestable and OraData indemnifies the buyer against any downstream claim.

We host on Supabase (US, Postgres + Storage) and Vercel (US, edge + compute). Emails route through Resend. Payments: Stripe (card + Connect), plus regional mobile-money rails (Wave, Airtel, Moov, MTN, Orange, Chipper), Wise and PayPalfor international transfers. CDN / WAF via Vercel’s built-in edge.

All subprocessors are bound by a Data Processing Agreement. A current subprocessor list is available on request under NDA.

• At rest — AES-256 on Supabase storage + Postgres volumes.
• In transit — TLS 1.3 mandatory on every endpoint.
• Buckets — credentials (private, signed-URL only, 15-min TTL) and uploads (mission files; RLS-gated).
• Secrets — service-role keys + Stripe secrets held in Vercel environment variables, never committed.

• Row Level Security on every Postgres table carrying user data.
• Multi-role junction (user_roles) enforced in DB policies, not just in app code.
• The admin role is exclusive to admin@oradata.ai (migration 0028). Historical over-permissive grants have been revoked and audit-logged.
• Every admin mutation — credential verification, payout approval, storage delete, signed-URL issuance, internal regulator-driven takedowns — writes to admin_audit_log (append-only, 6-year retention).
• Impersonation (admin “view as user”) writes a start + end row to admin_impersonation_log with IP + user-agent.

• OraData LLC is the data controller; subprocessors are processors under DPA.
• Data subject requests (access, rectification, erasure, portability, objection) handled within 30 days at support@oradata.ai.
• Lawful bases: contract performance (workers + buyers), legal obligation (KYC, invoicing), legitimate interest (fraud, quality), explicit consent (analytics cookies, marketing email).
• Transfers outside the EU covered by Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework.
• Breach notification within 72 hours per Article 33.

• OraData acts as a Business Associate under 45 CFR § 164.502.
• BAA signed with each PHI-producing client and each radiologist.
• DICOM access restricted to Gold+ tier experts with a signed BAA and a verified medical credential (is_doctor RPC).
• PHI access register retained 6 years minimum. Breach notification within 24h to the producing client plus downstream per Breach Notification Rule.

• Every subject present in a collected item is paid directly at capture and signs an OraData rights-transfer agreement (certificate ORA-XXXX-XXXX) — written consent + 60-second video attestation + photo of a verified government ID, all stored in a private bucket.
• The agreement transfers commercial usage rights to OraData, who then licenses or resells the asset onward. Buyers receive a clean chain-of-title.
• Buyers can request a per-certificate provenance manifest under NDA: opaque certificate codes, capture dates, ID-verification status. No PII exposed to the buyer.
• OraData carries the full compliance burden. If a regulator-mandated takedown ever forces removal of an item (rare, force-majeure), OraData honours it internally and refunds or replaces the affected portion of the buyer’s order — buyer is held harmless under the purchase agreement.
• Internal compliance channel for regulator requests: support@oradata.ai.

No contributor validates their own work. Cross-validation is enforced at three layers: a Postgres CHECK constraint, an RLS policy, and a UI gate. Arbitration (for tied or disputed annotations) is done by a third, credentialed expert — identities remain anonymous across the entire chain.

• Now — MFA optional for workers, mandatory for admin + DICOM. Annual third-party pen-test planned Q3 2026. Append-only audit trail on admin actions. Short-TTL signed URLs on private buckets.
• Q3 2026 — SOC 2 Type I readiness (policies + evidence collection).
• Q1 2027 — SOC 2 Type II observation window closes.
• Ongoing — public /veille feed of the platform’s observability surface for connected partners.

Data Protection Officer — support@oradata.ai
Security disclosures — support@oradata.ai (PGP available on request)
Vendor due-diligence package — we’ll send a DPA, subprocessor list, incident-response summary, and architecture diagram under NDA. Request at clients@oradata.ai.