Security built for data that carries the highest stakes.

Our Commitment

Security as a design principle across every product we build.

From Oryn’s attorney-client privilege engine to the flight education data in Ready Path and ClearPath — every Decoded Systems product is built with security as a foundational principle, not an afterthought. Our practices are designed to align with the AICPA’s SOC 2 Trust Service Criteria across all five categories.

SOC 2 Posture

Decoded Systems’ security framework is designed in alignment with SOC 2 Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. We maintain formal information security policies, conduct regular risk assessments, and operate under documented controls for access management, incident response, change management, and data protection across all our products. We are pursuing formal SOC 2 Type II attestation and will make our audit report available upon completion.

Encryption & Data Protection

Every piece of data that flows through Oryn is protected by multiple layers of security controls, from the moment it enters the system through storage, synchronization, and eventual disposal.

• TLS 1.2+ encryption for all data in transit
• AES-256 at rest via macOS Keychain and CryptoKit
• FileVault full-disk encryption required on all devices
• Encrypted connections to M365, Google Workspace, Dropbox

Sensitive Data Classification

Every product applies purpose-built protections for its highest-stakes data — attorney-client privileged communications in Oryn, and pilot safety records and personal minimums in our aviation systems.

• Privileged communications detected and classified in real time (Oryn)
• Pilot education history and safety data protected at the application level
• Automatic classification at the highest applicable security level
• Active during AI-assisted processing and document analysis

Credential Management

Oryn uses a zero-trust approach to credential management. No API keys, tokens, or secrets are ever hardcoded in our source code.

• All credentials stored exclusively in macOS Keychain
• Centralized, auditable configuration layer
• Logging system auto-redacts tokens, passwords, and API keys
• No sensitive values written to any log entry

Access Control

Oryn enforces the principle of least privilege across all system components and integrations, with full lifecycle management for every access grant.

• OAuth 2.0 authentication for all cloud integrations
• Comprehensive role-based access control (RBAC)
• Access restricted by time, location, and device
• All provisioning and deprovisioning actions logged

Incident Response & Monitoring

We operate under documented controls for incident response and change management, with continuous monitoring and a defined process for addressing security events.

• Formal incident response policy and documented procedures
• Regular risk assessments and control reviews
• Token lifecycle events fully logged and auditable
• Change management controls across all system components

Document Classification

Document access is governed by security classification, ensuring sensitive materials are available only to authorized personnel — at every stage of the document lifecycle.

• Security classification governs all document access
• Sensitive materials restricted to authorized personnel only
• Client-side encryption via Apple’s CryptoKit framework
• Protection applied from ingestion through disposal

Wayfolio

Wayfolio processes user-uploaded travel photographs and generates AI-powered destination imagery. This introduces specific security requirements: uploaded content must be screened before storage, user photo libraries must be strictly isolated, and AI-generated content must flow through trusted providers with no model training on user data.

• AI-powered content moderation screens every upload before storage — prohibited content is never saved
• CSAM detection triggers mandatory reporting to NCMEC per 18 U.S.C. § 2258A
• All data is user-scoped — image proxy verifies ownership before serving any content
• One user cannot access another user’s photographs, metadata, or generated content under any circumstance
• AI image generation via OpenAI API under data processing terms — no user data used for model training

Content Safety (Wayfolio)

Wayfolio employs automated AI-powered content moderation to screen every uploaded photograph before it is stored on our systems. Prohibited content — including but not limited to CSAM, graphic violence, and illegal activity — is rejected at the point of upload and never written to persistent storage.

• Pre-storage AI screening on every uploaded image
• Rejected content never saved to disk or backup systems
• CSAM detected is reported to NCMEC per federal law (18 U.S.C. § 2258A)
• No human review of rejected content during automated screening

Data Isolation (Wayfolio)

Every piece of data in Wayfolio is scoped to the individual user. Our image proxy layer verifies ownership before serving any content, ensuring strict tenant isolation across the platform.

• All photographs, metadata, and generated content scoped to individual user accounts
• Image proxy verifies user ownership before serving any asset
• Cross-user data access is architecturally impossible — not just policy-restricted
• User deletion requests remove all associated content, metadata, and generated imagery

Product-Specific Commitments

The same principles, applied to each domain.

Our foundational security controls apply across every product we build. Beyond those, each product family adds the protections specific to the data it handles.

Oryn LPMS (Legal Practice)

When attorneys trust Oryn with their practice, they’re trusting us with their clients’ most sensitive information. Oryn adds a purpose-built layer of protection specific to legal practice obligations.

• Purpose-built Privilege Engine for real-time detection of privileged communications
• Trust accounting with double-entry bookkeeping and automated compliance monitoring
• Attorney-client data classified and access-controlled separately from other records
• Incident response protocols prioritize notification to meet your ethical obligations to clients
• Retention schedules aligned with state bar requirements

Ready Path · ClearPath · Proficiency Path · Instructor Station (Aviation Education)

Pilot education records, personal minimums, and flight proficiency data carry their own category of sensitivity — both as private personal data and as information with real safety implications. Our aviation products are built with this in mind.

• Pilot education history, logbook data, and personal minimums protected at the application level
• Readiness and flight decision data treated as sensitive personal safety information
• Instructor access scoped to assigned students only — no cross-student data exposure
• Encryption and access controls apply identically across all aviation products
• Same SOC 2-aligned framework, same credential management, same incident response

WaveSuite · CastWave · PostWave · FlowWave (AI-Powered Media Production)

WaveSuite products generate AI-powered content using third-party services — including voice synthesis and script generation. This introduces a distinct security profile: user content flows through external APIs, voice data requires special protection, and connected social media accounts demand secure credential handling.

• AI-generated content (scripts, audio, posts) encrypted at rest and in transit — treated as user-owned data
• Third-party AI providers (Anthropic, ElevenLabs) bound by data processing agreements — no model training on user data
• Voice clone models stored with restricted access and deleted on account closure or user request
• Social media OAuth tokens stored encrypted with minimal-permission scopes — revocable at any time
• Content inputs sent to AI services contain no personal contact information — only production-relevant data

Compliance Leadership

Security built by someone who built the standards.

Oryn’s security and compliance program is led by founder Richard Ricketts, who brings decades of experience spanning corporate leadership, international standards development, and legal practice. This is not compliance as a checklist — it is compliance as an expression of the same rigor that goes into developing the standards themselves.

Richard served as Director of Corporate Development at Wajax Limited, and as a committee member on the IFRS Small Business Committee during the development of IFRS for SMEs — the global accounting framework now adopted in over 80 jurisdictions. He has spoken nationally on COSO Internal Control Framework adoption, holds a Juris Doctorate from Seattle University School of Law, and was named a Rising Star by Super Lawyers Magazine in 2013.