Security, compliance, and the things a board asks before signing.

Orkids builds and operates enterprise software for Philippine hospitals, distributors, banks, and operators. We hold ourselves to the standard of the most regulated client we serve. Security is not a feature we sell; it is the condition of being trusted with a hospital’s patient feedback data and a bank’s cloud account. This page is the public record of that posture, kept current and dated.

Where a certification is in progress, the target date is stated. We do not claim what we have not earned.

• NPC Registered (RA 10173)Live
• BIR-aligned (RR 11-2025, RR 26-2025)Live
• BSP Circular 982 outsourcing-notification readyReady
• ISO 27001In progress · target Q4 2026
• SOC 2 Type IIIn progress · target Q3 2027

Statutory registrations

• ✓SEC RegistrationRegistered
• ✓BIR Certificate of Registration (Form 2303)Registered
• ✓Mayor's / Business PermitRegistered
• ✓NPC Registration (Personal Information Controller)Registered
• ◯NPC Seal of RegistrationIn progress · pending submission
• ✓Data Protection Officer (DPO)dpo@orkids.ph

Production data is hosted in AWS Asia Pacific (Singapore, ap-southeast-1) by default. For clients with on-premise or in-country residency mandates, we deploy to a Manila on-prem option. Your data lives in your cloud account, your billing, your IAM — Orkids holds no production credentials after handover unless retained for managed operations.

The full list of sub-processors with their purpose. A signed DPA is available for each.

Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Key management follows the host cloud’s managed KMS; keys are never stored alongside the data they protect.

SSO is enforced for all internal access. MFA is mandatory, with no exceptions for administrators. Access follows least privilege: engineers hold the minimum scope required for an active engagement, and access is revoked at handover.

We acknowledge a reported security incident within 4 hours and notify affected customers within 24 hours. Response runbooks name the responsible engineer and the escalation path before an incident occurs, not during one.

Report vulnerabilities to security@orkids.ph. A PGP key is published at /pgp-key.txt [PGP key pending]. We do not pursue good-faith researchers who follow coordinated disclosure.

Orkids is registered with the National Privacy Commission as a Personal Information Controller under RA 10173 (the Data Privacy Act). We operate to the NPC’s implementing rules: lawful basis, data-subject rights handling, breach notification, and a named Data Protection Officer reachable at dpo@orkids.ph.

For BSP-regulated clients, Orkids is ready to support the cloud-outsourcing notification process under BSP Circular 982: risk assessment inputs, sub-processor disclosure, data-residency attestation, and exit/continuity provisions. We work alongside your compliance team rather than around it.

For healthcare clients, our systems are built to align with DOH health-information-system expectations and to integrate with PhilHealth eClaims where the engagement requires it. Patient data handling follows RA 10173 and the client’s own DOH-mandated controls.

Coverage and contractual liability terms, stated plainly.

• Directors & Officers (D&O)In binding · 2026
• Errors & Omissions (E&O)In binding · 2026
• Cyber insuranceIn binding · 2026
• Contractual liability capCapped at 12 months of engagement fees

Every engagement names a backup engineer in addition to the lead. A knowledge-transfer runbook is maintained for each project so that delivery does not depend on a single individual. If a named engineer becomes unavailable, the customer keeps full access to their systems and the backup engineer is briefed from the runbook within the incident-response window. Succession at the decision-maker level is documented on the governance page.

Orkids owns its related-party relationships rather than burying them. Our first client — a top-ranked Philippine private hospital — was a related party of the firm at the time of engagement. Engagement terms were reviewed under standard related-party governance with separate counsel and third-party CPA review. The full structure, officers, and conflict-hygiene controls are documented on the governance page.

Orkids holds no production credentials, no source code copies, and no IP claims after handover. Every Build and Replace engagement transfers code, database schema, deploy keys, and GitHub repository ownership to the client. A sample contract IP clause is available under NDA.

For Optimize engagements, the configuration changes, runbooks, and playbook are yours; there is no new code to transfer. How ownership transfer works →

Sensitive diligence documents are shared through an NDA-gated room. Request access and we will provision it after a mutual NDA.

• SOC 2 report (when available)
• Third-party penetration test results
• Architecture diagrams
• Customer references
• Sample IP transfer contract