Information Security Policy

Last updated:

Effective Date: 4 March 2026  |  Last Updated: 4 March 2026  |  Document Reference: OVX-SP-001

1. Commitment to Security

Orvexium (“Company”, “we”, “us”, “our”) operates at the frontier of advanced information security and cryptographic system design. The integrity, confidentiality, and availability of our systems, Website, client data, and research outputs are foundational to our operations and to the trust placed in us by our clients and partners. This Security Policy sets out the technical and operational standards we apply to protect our digital infrastructure and describes our Responsible Disclosure Programme for those who discover potential vulnerabilities.

2. Security Architecture Overview

Orvexium’s security architecture is designed in accordance with the principles of defence in depth, zero-trust networking, and least-privilege access. Our infrastructure is engineered to withstand sophisticated adversarial threats consistent with the threat landscape faced by organisations operating in the advanced information security sector. Our security controls are reviewed and updated continuously in response to emerging threats and advances in cryptographic research.

3. Data Encryption

  • Data in transit: All communications between end users and the Website are protected using TLS 1.3 or higher. Legacy cryptographic protocols (SSLv3, TLS 1.0, TLS 1.1) are disabled across all endpoints;
  • Data at rest: Sensitive data is encrypted at rest using AES-256 or equivalent algorithms with cryptographic key management practices consistent with current NIST guidance;
  • Post-quantum readiness: Orvexium actively monitors NIST post-quantum cryptography standards and incorporates quantum-resistant algorithms into our research and, where appropriate, our production systems;
  • Key management: Cryptographic keys are managed through a dedicated key management system with strict access controls, rotation policies, and audit logging.

4. Access Controls

  • role-based access control (“RBAC”) enforcing the principle of least privilege across all systems;
  • mandatory multi-factor authentication (“MFA”) for all administrative access and for all systems storing or processing sensitive data;
  • privileged access management (“PAM”) controls for administrative and root-level access;
  • regular access reviews to identify and revoke unnecessary permissions;
  • comprehensive audit logging of all privileged operations, with tamper-evident log storage.

5. Network Security

  • network segmentation and micro-segmentation to limit lateral movement;
  • web application firewall (“WAF”) deployment on all public-facing services;
  • intrusion detection and prevention systems (“IDS/IPS”) monitoring network traffic for anomalous behaviour;
  • continuous vulnerability scanning and patch management with defined remediation timelines based on severity;
  • distributed denial-of-service (“DDoS”) protection across all externally accessible infrastructure.

6. Incident Response

Orvexium maintains a documented incident response plan (“IRP”) that governs our procedures for detecting, containing, eradicating, and recovering from security incidents. Key elements include:

  • a dedicated incident response team with clearly defined roles and responsibilities;
  • defined incident severity classifications and escalation procedures;
  • communication protocols for notifying affected parties and regulatory bodies (including the ICO where a personal data breach has occurred) within statutory timeframes;
  • post-incident review procedures to identify root causes and implement preventive measures;
  • annual tabletop exercises and simulated incident response drills.

7. Responsible Disclosure Programme

Orvexium operates a Responsible Disclosure Programme (“RDP”) to facilitate the responsible reporting of security vulnerabilities discovered in our Website, systems, or publicly accessible infrastructure. We are committed to working collaboratively with security researchers who act in good faith and in accordance with the terms of this Programme.

To report a potential security vulnerability, please contact:

We request that all vulnerability reports be submitted by encrypted email where possible. Our PGP public key is available upon request.

8. Disclosure Timeline

Orvexium follows a 90-day coordinated disclosure timeline:

  1. Day 0: Vulnerability report received. Acknowledgement issued within two working days;
  2. Days 1–14: Triage and severity assessment. The reporter is informed of the assessed severity and our intended remediation timeline;
  3. Days 15–75: Development and testing of remediation or mitigation. The reporter is kept informed of progress;
  4. Days 76–90: Remediation deployment. Coordinated disclosure agreed with reporter;
  5. Day 90: Public disclosure. Where remediation cannot be completed within 90 days, we will notify the reporter and agree a reasonable extension in good faith. Where a vulnerability poses an immediate critical risk to third parties, we reserve the right to expedite disclosure.

9. Bug Bounty Statement

Orvexium does not currently operate a public bug bounty programme with financial rewards. We acknowledge all valid vulnerability reports publicly (with the reporter’s consent) and will consider appropriate recognition on a case-by-case basis. We reserve the right to introduce a formal bug bounty programme in the future, details of which will be published on this page.

10. Prohibited Security Research

The following activities are expressly prohibited and will not be considered to fall within the scope of our Responsible Disclosure Programme:

  • accessing, exfiltrating, modifying, or deleting data belonging to Orvexium or its clients;
  • executing or attempting to execute denial-of-service, distributed denial-of-service, or resource exhaustion attacks;
  • conducting social engineering, phishing, vishing, or physical security attacks against Orvexium personnel or facilities;
  • using automated scanners or tools in a manner that generates traffic volumes that degrade service availability;
  • exploiting vulnerabilities beyond what is strictly necessary to confirm their existence;
  • disclosing vulnerability information to any third party prior to coordination and agreement with Orvexium.

Conduct falling within the above categories constitutes a breach of our Acceptable Use Policy (OVX-AUP-001) and may constitute a criminal offence under the Computer Misuse Act 1990.

11. Reporting Vulnerabilities

When submitting a vulnerability report, please include:

  • a clear description of the vulnerability and its potential impact;
  • the affected URL, system component, or service;
  • step-by-step reproduction instructions, including any tools or scripts used;
  • screenshots or proof-of-concept code (where applicable and where no data has been exfiltrated);
  • your contact details for follow-up correspondence.

Orvexium will not initiate legal action against researchers who act in good faith and in compliance with this Policy. We ask that researchers grant us the full 90-day period to remediate before any public disclosure.

12. Contact