Data Processing Agreement Public
DPA template aligned to the Cayman DPA (2021 Revision) and GDPR / UK GDPR. Customised per customer.
Trust Centre
Honest about what we have. Public about what's next.
This page is for Data Protection Officers, General Counsels, Chief Information Security Officers, and procurement officers. Every artefact you would normally have to request is either linked here or available on a single email request.
Compliance posture
Current state and roadmap.
| Standard / framework | Status | Target | Auditor / evidence |
|---|---|---|---|
| Cayman Data Protection Act (2021 Revision) | Aligned by design | Continuous | DPA template |
| CIMA SOG on Outsourcing (April 2023) | Aligned by design | Continuous | MSA inspection-rights clause |
| CIMA Cybersecurity Rule and SOG — inspection-rights provisions | Aligned by design | Continuous | MSA flow-down clause |
| CIMA Cybersecurity Rule and SOG — full conformance (governance, training, incident response) | In progress | Q3 2026 | Alongside Cyber Essentials |
| WCAG 2.2 Level AA | Aligned | Continuous | Statement |
| Cyber Essentials (basic) | In progress | Q3 2026 | IASME self-assessment |
| Cyber Essentials Plus | Roadmapped | Q4 2026 | Auditor TBA |
| SOC 2 Type I (readiness) | Roadmapped | Q4 2026 | Drata / Vanta / Secureframe |
| SOC 2 Type II | Roadmapped | Q3 2027 | Audit period begins Q1 2027 |
| ISO 27001 | Gap assessment | Certification Q2 2027 | BSI / Schellman / A-LIGN |
| ISO 42001 (AI management) | Roadmapped | Q4 2027 | Following 27001 |
| NIST AI RMF 1.0 + GAI Profile | Mapped | Continuous | Mapping document on request |
"Aligned by design" means the underlying architecture inherently satisfies the standard — we do not require a separate control to comply. "In progress" means an active engagement is underway. "Roadmapped" means a public commitment with a target date but no auditor yet engaged.
Artefacts
Documents and downloads.
Sub-Processor List Public
Authoritative public list of any sub-processors that handle Customer Personal Data. (Currently: none, by architecture.)
Architecture Public
Logical and physical architecture, trust boundary, audit log design, hardware reference appliance.
Accessibility Statement Public
WCAG 2.2 Level AA conformance statement, testing approach, and accessibility contact.
security.txt Public
RFC 9116 security contact and vulnerability disclosure policy.
Software Bill of Materials On request
Per-release SBOM in CycloneDX and SPDX format, generated via Syft. Email security@floworca.com.
STRIDE Threat Model On request
Per-module threat model documenting Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of Privilege controls.
Penetration Test Summary On request
Redacted executive summary from a CREST or CHECK certified tester. Available under NDA after first qualifying call.
CAIQ & SIG Lite On request
Cloud Security Alliance CAIQ v4.0.3 and SIG Lite security questionnaire pre-fills, adapted to OrcaVaults's air-gapped deployment model.
Model Card & System Card On request
Hugging Face-style model card per LLM in use, plus an Anthropic-style system card for OrcaVaults as a whole, including hallucination rates and prompt-injection resistance evaluation.
SLA & Severity Matrix Public soon
Bronze / Silver / Gold tiers with severity 1–4 response and resolution targets.
Insurance Certificates On request
Professional Indemnity, Cyber, Public Liability, Errors & Omissions. Certificates issued within 24 hours.
Audit rights
You can inspect us.
FlowOrca grants Customer audit rights under the Master Services Agreement. For Customers regulated by the Cayman Islands Monetary Authority, FlowOrca additionally acknowledges CIMA or its authorised agent's right of inspection under the inspection-rights provisions of the April 2023 Cybersecurity Rule and Statement of Guidance, read with the Outsourcing SOG (April 2023) — at no additional cost. Exact section references are confirmed in the Master Services Agreement.
Audit and inspection requests are coordinated through compliance@floworca.com with a target acknowledgment within two business days.
Trust contacts
Direct routes for the people who need them.
security@floworca.com
Vulnerability reports under our RFC 9116 disclosure policy. Acknowledged within 5 business days.
privacy@floworca.com
Data Processing Agreement queries, Data Subject rights requests, DPA-related correspondence.
compliance@floworca.com
Audit rights, certification correspondence, CIMA inspection coordination.
accessibility@floworca.com
WCAG conformance reports and accessibility-issue disclosures. Acknowledged within 5 business days.