Our Commitment

Security as a design principle across every product we build.

From Oryn's attorney-client privilege engine to the flight education data in Ready Path and ClearPath — every Decoded Systems product is built with security as a foundational principle, not an afterthought. Our practices are designed to align with the AICPA's SOC 2 Trust Service Criteria across all five categories.

SOC 2 Posture

Decoded Systems' security framework is designed in alignment with SOC 2 Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. We maintain formal information security policies, conduct regular risk assessments, and operate under documented controls for access management, incident response, change management, and data protection across all our products. We are pursuing formal SOC 2 Type II attestation and will make our audit report available upon completion.

Encryption & Data Protection

Every piece of data that flows through Oryn is protected by multiple layers of security controls, from the moment it enters the system through storage, synchronization, and eventual disposal.

TLS 1.2+ encryption for all data in transit
AES-256 at rest via macOS Keychain and CryptoKit
FileVault full-disk encryption required on all devices
Encrypted connections to M365, Google Workspace, Dropbox

Sensitive Data Classification

Every product applies purpose-built protections for its highest-stakes data — attorney-client privileged communications in Oryn, and pilot safety records and personal minimums in our aviation systems.

Privileged communications detected and classified in real time (Oryn)
Pilot education history and safety data protected at the application level
Automatic classification at the highest applicable security level
Active during AI-assisted processing and document analysis

Credential Management

Oryn uses a zero-trust approach to credential management. No API keys, tokens, or secrets are ever hardcoded in our source code.

All credentials stored exclusively in macOS Keychain
Centralized, auditable configuration layer
Logging system auto-redacts tokens, passwords, and API keys
No sensitive values written to any log entry

Access Control

Oryn enforces the principle of least privilege across all system components and integrations, with full lifecycle management for every access grant.

OAuth 2.0 authentication for all cloud integrations
Comprehensive role-based access control (RBAC)
Access restricted by time, location, and device
All provisioning and deprovisioning actions logged

Incident Response & Monitoring

We operate under documented controls for incident response and change management, with continuous monitoring and a defined process for addressing security events.

Formal incident response policy and documented procedures
Regular risk assessments and control reviews
Token lifecycle events fully logged and auditable
Change management controls across all system components

Document Classification

Document access is governed by security classification, ensuring sensitive materials are available only to authorized personnel — at every stage of the document lifecycle.

Security classification governs all document access
Sensitive materials restricted to authorized personnel only
Client-side encryption via Apple's CryptoKit framework
Protection applied from ingestion through disposal
Product-Specific Commitments

The same principles, applied to each domain.

Our foundational security controls apply across every product we build. Beyond those, each product family adds the protections specific to the data it handles.

Legal Practice

Oryn LPMS

When attorneys trust Oryn with their practice, they're trusting us with their clients' most sensitive information. Oryn adds a purpose-built layer of protection specific to legal practice obligations.

Purpose-built Privilege Engine for real-time detection of privileged communications
Trust accounting with double-entry bookkeeping and automated compliance monitoring
Attorney-client data classified and access-controlled separately from other records
Incident response protocols prioritize notification to meet your ethical obligations to clients
Retention schedules aligned with state bar requirements
Aviation Education

Ready Path · ClearPath · Proficiency Path · Instructor Station

Pilot education records, personal minimums, and flight proficiency data carry their own category of sensitivity — both as private personal data and as information with real safety implications. Our aviation products are built with this in mind.

Pilot education history, logbook data, and personal minimums protected at the application level
Readiness and flight decision data treated as sensitive personal safety information
Instructor access scoped to assigned students only — no cross-student data exposure
Encryption and access controls apply identically across all aviation products
Same SOC 2-aligned framework, same credential management, same incident response
AI-Powered Media Production

WaveSuite · CastWave · PostWave · FlowWave

WaveSuite products generate AI-powered content using third-party services — including voice synthesis and script generation. This introduces a distinct security profile: user content flows through external APIs, voice data requires special protection, and connected social media accounts demand secure credential handling.

AI-generated content (scripts, audio, posts) encrypted at rest and in transit — treated as user-owned data
Third-party AI providers (Anthropic, ElevenLabs) bound by data processing agreements — no model training on user data
Voice clone models stored with restricted access and deleted on account closure or user request
Social media OAuth tokens stored encrypted with minimal-permission scopes — revocable at any time
Content inputs sent to AI services contain no personal contact information — only production-relevant data
Compliance Leadership

Security built by someone who built the standards.

Oryn's security and compliance program is led by founder Richard Ricketts, who brings decades of experience spanning corporate leadership, international standards development, and legal practice. This is not compliance as a checklist — it is compliance as an expression of the same rigor that goes into developing the standards themselves.

Richard served as Director of Corporate Development at Wajax Limited, and as a committee member on the IFRS Small Business Committee during the development of IFRS for SMEs — the global accounting framework now adopted in over 80 jurisdictions. He has spoken nationally on COSO Internal Control Framework adoption, holds a Juris Doctorate from Seattle University School of Law, and was named a Rising Star by Super Lawyers Magazine in 2013.

SOC 2 Alignment COSO Framework IFRS Standards JD · Seattle University Super Lawyers Rising Star 2013 IMA Membership Awards