Built to recognized standards.
Honest about where we are.
Olto Discovery, operated by Velora Biotech LLC, implements the technical controls defined by leading U.S. security frameworks. Below is exactly how far along each one is — including the work that remains.
A note on honesty. The statuses below are our own engineering self-assessments, not third-party attestations. We are notcurrently certified or authorized under any of these frameworks. We tell you this plainly because trust is earned by accuracy, not by badges — the same principle that makes a reproducible protocol worth publishing.
Self-assessed ~92%. RLS at the database engine, AAL2 MFA, validated uploads, durable rate limits, and CSRF/XSS/SSRF/open-redirect protections are in place.
CI runs static analysis, secret scanning, dependency audit, and SBOM generation on every change, with code-owner review on security-critical paths.
Multi-factor authentication is enforced fail-closed at the edge; recovery codes are single-use and stored only as hashes. Passkey support is on the roadmap.
No trusted internal network: every request is authenticated and authorized per-session, with authorization enforced at the data engine as the last line of defense.
All cryptography uses FIPS-approved algorithms through a single audited module, ready to run against a validated provider. Module validation is a hosting milestone.
The technical controls across access, audit, identity, system protection, and integrity are implemented and mapped. Written policies and assessment remain.
Technical controls largely map to the baseline. A defined CUI boundary, policies, and a System Security Plan are prerequisites before any CUI is processed.
Identify / Protect / Detect / Respond functions are well-covered by implemented controls; the Govern function (formal policy and risk governance) is the active gap.
Technical practices are substantially in place. Certification requires written policies, a System Security Plan, a POA&M, and a C3PAO assessment.
Early readiness. Authorization requires a FedRAMP-authorized hosting boundary, continuous monitoring, a 3PAO assessment, and an agency ATO — a funded, multi-quarter program.
How we back it up
Alignment isn't a slide. These are the mechanisms running in production and in our build pipeline today.
Over 200 row-level security policies across 40+ tables gate every row at PostgreSQL itself — not just in application code — so an app-layer bug cannot silently cross tenants.
Type-checking, 3,000+ automated tests, linting, and a production build must pass before code ships. A dedicated test asserts that no data-changing route is reachable without authentication.
Static analysis (OWASP Top Ten), secret scanning, dependency vulnerability audits, and a software bill of materials run automatically — and re-run weekly against newly disclosed vulnerabilities.
All cryptographic operations flow through one audited module using only FIPS-approved algorithms, with an automated guardrail that blocks weak algorithms from entering the codebase.
Security-relevant actions are recorded through a privileged path that user sessions cannot forge or suppress, retained on a defined schedule.
An external OWASP/ZAP scan returned zero critical or high findings, complementing six internal security-audit cycles.
Questions, or need our control mappings?
We maintain detailed control-to-evidence mappings (NIST 800-53/171, CSF 2.0, ASVS, SSDF) for security reviews. Security researchers can report issues through our responsible disclosure policy.