Engineered for sensitive health data
LifeOrion is built for the data labs handle every day — patient demographics, orders, results, and reports. Security is part of the architecture, not a layer added later.
LifeOrion protects laboratory and patient data with controls that run on every action, across all three portals. Below is what we have implemented today, and what we are designing toward as we pursue formal certification.
Controls that are live in the platform now
These are present-tense facts about how LifeOrion works today, not aspirations.
Audit logging on every action
Every create, update, and delete is recorded with a full audit trail, so you can reconstruct who changed what and when.
Argon2 credential encryption
User credentials are hashed with Argon2, a modern standard designed to resist brute-force and GPU-based attacks.
Fail-closed JWT sessions
Session security uses JWTs that fail closed. If a token is missing, expired, or invalid, access is denied by default.
Rate limiting
Request rate limiting protects authentication and API endpoints against abuse, credential stuffing, and automated attacks.
RBAC across all three portals
Role-based access control governs the SuperAdmin, client, and partner portals, so each user acts only on what their role permits.
Encryption
Data is protected with encryption to support confidentiality across the platform.
Soft-delete with Trash & Restore
Deletions are recoverable. Records move to Trash and can be restored — individually or in bulk — across all entities.
Multi-region support
Multi-region deployment lets you keep data in the geography that fits your operational and regulatory requirements.
Where we are headed on formal compliance
The items below are not yet earned certifications. They describe frameworks LifeOrion is architected to support and the certifications on our roadmap. We update this page as each is achieved.
SOC 2 Type II
On our roadmapWe are building toward a SOC 2 Type II examination of our security, availability, and confidentiality controls.
HIPAA
Designed to supportLifeOrion is designed to support HIPAA-aligned handling of protected health information, including audit trails, access controls, and encryption. A Business Associate Agreement (BAA) is on our roadmap.
ISO 27001
On our roadmapWe are aligning our information security management practices toward ISO 27001 certification.
CLIA / CAP
Designed to supportLifeOrion is built for the workflows of CLIA- and CAP-certified laboratories, including controlled result verification, QC, and report release.
21 CFR Part 11
Designed to supportOur audit logging, access controls, and controlled record lifecycle are designed to support 21 CFR Part 11 electronic-records and electronic-signature workflows.
Where a framework is described as 'designed to support,' it reflects architectural alignment, not a completed certification or attestation.
Least privilege by design, with a complete record of every change
Access is scoped, isolated by tenant, and fully auditable.
LifeOrion enforces role-based access control across the SuperAdmin, client, and partner portals. Permissions follow a least-privilege model: users get the access their role requires and nothing more, with site-scoped views keeping staff within their assigned context.
The platform is multi-tenant, with tenancy isolation separating each lab's data. Operators, labs, and partners work in the same platform without seeing one another's records. Franchisees can run under full white-labeling while their data stays isolated.
Every create, update, and delete is captured in an end-to-end audit trail. Combined with soft-delete and Trash & Restore, this gives QA and compliance teams a defensible record of activity and a path to recover from mistakes.
- Role-based access control across all three portals
- Tenant isolation for every lab's data
- End-to-end audit trail on every change
- Soft-delete with single and bulk restore
See the architecture in detail
We'll walk your security, IT, and QA teams through our controls, data model, and compliance roadmap, and answer your due-diligence questions directly.