Trust Center

Trust & compliance

Last updated: May 9, 2026

Everything your security, IT, and legal teams need to evaluate McPortal. If something you need isn’t here, email us — see the contacts at the bottom of the page.

Security

Envelope encryption for OAuth tokens, per-tool permissions, audit logging, infrastructure detail.

Privacy

What we collect, how we use it, retention, cookies, your rights.

Data Processing Agreement

GDPR Art. 28, EU SCCs, UK Addendum, CCPA service-provider terms. Available on request.

Sub-processors

Live, dated list of third parties that process customer data. 30-day notice before changes.

Compliance status

The honest version, kept current:

GDPR / UK GDPR. DPA, EU Standard Contractual Clauses (Module 2), and the UK Addendum available on request. See /dpa.
CCPA. We act as a service provider; we do not sell or share personal information. Service-provider terms are included in our DPA.
HIPAA. Not in scope. McPortal is not a HIPAA Business Associate and we do not sign BAAs at this time.

Reporting a vulnerability

Email security@orchestrategies.com. We acknowledge within two business days. See the security page for the full responsible-disclosure note.

Contacts

Security incidents and vulnerability reports: security@orchestrategies.com
Privacy and data subject requests: privacy@orchestrategies.com
DPA, contracts, and procurement: legal@orchestrategies.com
Sub-processor change subscriptions: trust@orchestrategies.com