Trust / Compliance
Honest compliance posture and roadmap.
Operious communicates what is available now, what is in progress, and what must be reviewed by deployment scope.
Enterprise buyers respect clarity more than exaggerated claims. Compliance posture depends on product controls, deployment architecture, cloud environment, data categories, integrations, subprocessors, operating procedures, and contractual commitments. Operious documents these details during enterprise review.
The current posture is built around GDPR-aligned data handling direction, tenant isolation, encryption patterns, governance fail-closed behavior, and audit reconstruction. Formal certification roadmap items are identified as roadmap items until completed.
Operating detail
What this page establishes
Current state
Operious is designed for GDPR-aligned data handling, including data minimization, customer-controlled processing terms, and enterprise review of retention and subprocessors. HIPAA Business Associate Agreement support is available for healthcare clients where deployment scope, controls, and responsibilities are agreed in writing.
Security disclosures are maintained through the legal security page. Enterprise customers can request security architecture review, data flow documentation, and deployment-specific control mapping as part of onboarding.
In progress
SOC 2 Type II audit planning is targeted for Q3 2026. This is a planning target, not a completed certification claim. ISO 27001 certification is on the roadmap. Tenant-controlled data residency is also on the roadmap and should be discussed during architecture review when regional requirements matter.
Operious will not present roadmap controls as completed attestations. Procurement and compliance teams should evaluate current controls and planned milestones separately.
Healthcare deployments
Healthcare clients can evaluate HIPAA BAA availability as part of enterprise contracting. Operious still requires scope review because PHI handling, user roles, integrations, audit exports, and support procedures determine the practical control environment.
Public sector deployments
Public sector requirements may include FOIA-compatible records, accessibility, procurement controls, public cloud requirements, and FedRAMP pathways. FedRAMP-related work is roadmap-dependent and must be evaluated by deployment scope. Operious does not claim authorization before it exists.
What to expect in review
An enterprise review should cover data categories, retention, access roles, tenant isolation, encryption, event export, incident response, subprocessors, residency, support access, and workflow-specific regulatory obligations. Operious is built to make those questions concrete and traceable.
Data residency roadmap
Tenant-controlled data residency is on the roadmap because regulated buyers often need region-specific processing and storage commitments. The current review process should identify residency requirements early so architecture, subprocessors, support access, and export paths can be evaluated honestly.
Operious will not imply that all residency models are already available. Where residency is a requirement, the deployment should proceed only when the agreed operating model satisfies the buyer's legal and security review.
Compliance evidence
Compliance review is strongest when evidence is generated by normal product operation. Governance decisions, denied actions, admission records, tenant-scoped events, and audit exports can help enterprise teams evaluate whether the controls operate continuously rather than existing only as documentation.
As roadmap certifications mature, Operious will connect formal attestations to the architecture buyers can inspect today. The near-term promise is clarity about current controls and precision about what remains in progress.
This distinction protects both sides of the enterprise review. Buyers see the current operating facts, and Operious avoids implying that planned certifications are already complete.
The result is a compliance conversation grounded in evidence instead of broad claims.
Roadmap discipline
Roadmap discipline is part of trust. SOC 2 Type II, ISO 27001, data residency controls, and public sector authorization paths should be discussed with dates, dependencies, and current limits. Operious marks these items clearly so buyers can make informed decisions.
When a control is not yet certified, the right answer is to say so and explain the path. Enterprise buyers can work with roadmap clarity. They should not be asked to rely on inflated claims.