Trust Center.

CalBrix OS is published and operated by Montford Orbis Limited. The Service is used by regulated calibration laboratories, industrial quality teams, and multi-site operations that are subject to accreditation standards (ISO/IEC 17025, ISO 9001, IATF 16949, AS9100) and, where applicable, electronic-records requirements such as FDA 21 CFR Part 11.

Every control we deliver is designed so that it can be evidenced during an audit, a quality review, or a procurement questionnaire. Documentation is versioned, linked, and kept consistent with the behaviour of the running Service.

• Least privilege by default — access to production, customer data, and sensitive configuration is granted to the minimum set of identified personnel.
• Verifiable controls over novelty — we prefer well-understood mechanisms (encrypted backups with periodic test restoration, role-based access control, signed releases, cryptographically linked audit trails) over bespoke ones.
• Separation of concerns — marketing, product, legal, and operational claims are each owned by the document that is contractually binding; promotional pages do not grant rights.
• Customer data is the Customer’s asset — we do not train third-party models on Customer Data, we do not sell Customer Data, and we do not create derivative datasets for unrelated Customers.

• Production hosting is located in European Union data-centre infrastructure by default. Single-tenant or on-premise deployment is available on request for Customers with data-residency or air-gap requirements.
• All external traffic is served over TLS 1.2 or higher with HSTS and modern cipher suites only. Internal service-to-service traffic is private or localhost-scoped.
• Application hardening includes a Web Application Firewall with the OWASP Core Rule Set, abuse-detection feeds, rate limiting, and fail2ban jails on sensitive endpoints.
• Immutable, cryptographically linked audit trail across operational records, with user identity, timestamp, action, and context captured for each event.

CalBrix OS is designed to meet the documentation and operational expectations of ISO/IEC 17025, ISO 9001, IATF 16949, AS9100, FDA 21 CFR Part 11, and the GUM uncertainty framework. Montford Orbis does not hold itself out as certifying, accrediting, or attesting to the Customer’s own compliance status. Accreditation, regulatory approvals, and the acceptability of records to any regulator, notified body, or auditor remain the Customer’s responsibility.

We publish plainly what we do and do not hold, and we update that position as independent attestations are obtained. SOC 2 Type I is a tracked programmatic objective; we are targeting a Type I assessment in Q3 2026. Progress will be reflected on this page and in the long-form security documentation when available.

• Customer retains ownership of Customer Data at all times. Montford Orbis acts as a processor on the Customer’s documented instructions under the Data Processing Agreement.
• Export in a structured, machine-readable format is available to Customer administrators throughout the subscription and for a defined period after termination.
• Deletion on termination is executed in accordance with the retention schedule published at /privacy; backups age out within the published retention window.
• Data-subject requests received directly by Montford Orbis are routed to the relevant Customer as controller.

Where the Service incorporates artificial-intelligence or automation features, those features are designed to assist qualified personnel, not to replace them. Outputs produced with AI assistance remain subject to the Customer’s review, approval, and quality controls. Montford Orbis does not use Customer Data to train third-party foundation models and does not create derivative datasets that would be shared with unrelated Customers.

Montford Orbis engages sub-processors only where necessary for the Service, under written agreements imposing equivalent data-protection and security obligations. The current sub-processor list is available to Customers on written request via the Data Processing Agreement, and is updated with advance notice before any material addition.

• Security Statement — /security
• Privacy Policy — /privacy
• Data Processing Agreement — /dpa
• Terms of Service — /terms
• Compliance coverage (ISO/IEC 17025, ISO 9001, GUM, FDA 21 CFR Part 11, IATF 16949, AS9100) — /compliance
• Public status — status.calbrixos.com

Customers and prospects engaged in procurement, accreditation, or an internal security review may request the long-form security documentation, the most recent penetration-test attestation letter, a vendor security-questionnaire response, or a signed copy of the Data Processing Agreement by writing to philip.montford@calbrixos.com. Requests are handled by the founding engineer in the capacity of technical and security lead.