DORG Society Foundation has released the CyberSecurity Approach Document — a detailed reference that illustrates how the DORG ecosystem protects customer data, ensures digital sovereignty, and addresses AI-specific security challenges.

Key points

Your data stays in your infrastructure. In the Private Cloud deployment model, all customer data remains within their Azure environment. DORG SRL has no access to the customer’s environment or data — neither during operations, nor for support, nor for analysis.

Three-level pseudonymization for ethical oversight. The limited metadata that flows to DORG Society for ethical monitoring goes through three levels of pseudonymization. Personal identifiers, response content, raw data, and special categories of personal data are explicitly excluded from this flow.

No anonymous access — ever. Every interaction requires a verified identity through Microsoft Entra ID. All users and DORG itself must be registered identities in the organization’s directory. No anonymous or unregistered interaction is possible.

Three-level access control. The architecture enforces controls at the competence level (which roles can invoke which capabilities), at the data level (which information sources each role can access), and at the output level (which actions can be performed and by whom).

Full customer sovereignty. The customer maintains exclusive ownership of all their data, configurations, and custom competencies. Upon contract termination, all data remains in the customer’s environment. DORG SRL retains no copies.

Awareness of AI-specific threats. The document addresses security risks characteristic of AI systems: hallucination risk, data exposure to LLM providers, competence compromise through supply chain attacks, prompt injection techniques, and MCP poisoning scenarios.

Built on the NIST Cybersecurity Framework 2.0

The document is structured according to the NIST CSF 2.0 taxonomy, providing a systematic and internationally recognized approach to cybersecurity. The six core functions are addressed as follows:

Govern — Cybersecurity governance is distributed in the tripartite model. Roles and responsibilities are clearly assigned: DORG SRL ensures software security, DORG Society monitors ethical compliance, and the customer organization manages its own infrastructure and operations. The Human Oversight Supervisor (HOS) serves as the operational point of reference within each organization.

Identify — Covers asset inventory for DORG deployments, AI system-specific risk assessment, classification of data processed by DORG, mapping of standard data flows across all four primary flows (internal, LLM provider, ethical oversight, activation verification), and threat modeling for AI-specific attack vectors.

Protect — Addresses identity management through Entra ID integration, pre-LLM authorization architecture that enforces access controls before any AI processing begins, data security at both software and infrastructure levels, and security training for Human Oversight Supervisors.

Detect — Includes continuous monitoring through comprehensive telemetry, anomaly detection for AI-specific behaviors (hallucination patterns, unexpected competence invocations, confidence threshold breaches), and security event logging across all system levels.

Respond — Defines incident response procedures integrating DORG-specific scenarios, mutual breach notification obligations within 24 hours between ecosystem entities, and escalation protocols calibrated to incident severity.

Recover — Covers operational continuity, including implications of the conditional activation mechanism and recovery procedures following security incidents.

A Shared Responsibility

As with compliance, cybersecurity in the DORG ecosystem is a shared responsibility with clear boundaries. DORG SRL integrates security into the software. The customer organization protects its own infrastructure and operations. Neither can delegate to the other — and both are accountable within their own domain.

The CyberSecurity Approach Document is available to DORG Agency customers and interested organizations upon request.