How Orpheus Labs handles, stores, and secures research and operational data — in compliance with GDPR and Swiss nDSG.
This document describes the data protection architecture of Orpheus Labs SA. It is intended for institutional partners, ethics committees, regulatory bodies, and research participants who require a comprehensive understanding of how data is handled across our operations.
Orpheus Labs operates under Swiss jurisdiction and is subject to the revised Federal Act on Data Protection (nDSG, in force 1 September 2023). As a research institution with EU-based partners and participants, we also comply fully with the General Data Protection Regulation (GDPR) (EU) 2016/679.
Our data protection practices are audited annually by an independent external auditor. The most recent audit was completed in October 2024 with no material findings.
All data held by Orpheus Labs is classified under one of four tiers:
| Tier | Classification | Examples | Encryption |
|---|---|---|---|
| T1 | Public | Published papers, website content | TLS in transit |
| T2 | Internal | Staff communications, admin data | AES-256 at rest + TLS |
| T3 | Confidential | Research protocols, partner data | AES-256 + access log |
| T4 | Restricted | Subject data, neural scan archives | AES-256 + MFA + air-gap |
All Orpheus Labs data is hosted on infrastructure physically located in Switzerland. We do not use public cloud providers for Tier 3 or Tier 4 data. Our primary data centre is located at our Geneva facility; a secondary backup facility is operated in Zurich. Both facilities are ISO 27001 certified.
Tier 4 data (restricted research archives) is stored on air-gapped systems with no external network connectivity. Access requires physical presence, biometric authentication, and dual-person authorisation.
Access to data systems follows the principle of least privilege. All access is role-based and reviewed quarterly. Multi-factor authentication is mandatory for all staff accessing Tier 2 and above. All access events are logged, monitored, and retained for 24 months.
Where research collaboration requires data sharing with international partners, transfers are governed by Data Processing Agreements (DPAs) incorporating standard contractual clauses. No Tier 4 data is ever transferred outside the Orpheus Labs infrastructure.
In the event of a suspected data breach, our incident response protocol (OL-SEC-IRP) is activated immediately. The DPO is notified within 1 hour. If the breach involves personal data, affected individuals and the FDPIC are notified within 72 hours as required by nDSG and GDPR. All incidents are documented and reviewed in our quarterly security report.
All research participant data is pseudonymised at the point of collection. The mapping key linking pseudonyms to real identities is held separately under Tier 4 controls and accessible only to the Principal Investigator and DPO. Raw neural scan data and consciousness mapping archives are subject to additional handling protocols defined in document OL-DATA-NEURO-2.
NOTE: Access to research data archives requires written approval from the Principal Investigator, DPO, and IEC Chair. Requests should be submitted to access@orpheus-labs.com with reference to the relevant protocol identifier.
Our Data Protection Officer is responsible for overseeing compliance with this framework and serves as the primary contact for all data protection enquiries.