Ordinis
Access
Private alpha · Engineered in Zürich · Mapped to FINMA Circular 2023/1 controls

Governance, risk and compliance for FINMA-supervised firms.

One platform for risks, incidents, access requests, change workflows and audit evidence.

Unify the work your second-line team already does into a single audit trail. AI stays suggestion-only. Humans approve critical decisions. Engineered in Zürich. Hosted in Switzerland.

Request Alpha access See a real workflow
Engineered in Zürich
Product, team and hosting in Switzerland
Private alpha
NDA-based evaluation only
FINMA 2023/1
Mapped control catalogue
One real workflow

From access request to audit trail — in one system.

What a second-line team usually spreads across a ticketing tool, a compliance sheet, and a mailbox, Ordinis runs as a single traceable flow.

  1. 01
    Initiate

    Access request filed

    An operator requests a permission or scope change. Context, business justification, and linked entities are captured at the source.

  2. 02
    Validate

    SoD + policy check

    Segregation-of-duties validators run before anything is approved. Conflicts block the request with a traceable reason.

  3. 03
    Assist

    AI suggestion (not decision)

    Ordinis suggests routing, flags adjacent risk, and surfaces prior approvals. The suggestion is an audit row — it never mutates state.

  4. 04
    Approve

    Human sign-off

    The accountable approver accepts or rejects with a reason. Dual-control and escalation rules apply where the policy requires them.

  5. 05
    Record

    Evidence + audit chain

    Decision, supporting evidence (hash-pinned), and downstream notifications land in an append-only audit trail that auditors can read directly.

The same pattern runs incidents, change requests, policy attestations, and risk recalculation proposals. Event propagation, evidence handling, and the audit chain are shared — no parallel ledgers.

Three flow maps · interactive

Three views of how Ordinis works.

Switch tabs to follow risk through its lifecycle, see how the AI pipeline stays inside your tenant, or trace a single human-in-loop approval. Click any node to read its role.

Business context informs risks. Controls and KRIs monitor them. Incidents loop back into re-scoring. Policies and attestations close the loop into one audit chain.

Context Where risk originates Risk transformation Identify · treat · monitor Events When risk materializes Assurance Verify everything works Business processes Operational map Governance Board · committees Third parties Outsourced functions Risks Enterprise register Controls Preventive · detective KRIs Indicators · thresholds Incidents Operational · ICT Policies Versioned library Attestations User sign-off Audit chain Append-only evidence

Swipe the diagram sideways to see the full flow.

Context Risk transformation Events Assurance
Context

Your business process map is the canvas

Risks, controls and KRIs all tie back to a process and a business unit. Change a process and every dependent control re-evaluates automatically — no manual cross-reference, no drift between the org chart and the risk register.

Click any node to read its role. Tab between maps for different views of the same platform.

These visualisations simplify the live engine for clarity. Full rule definitions, model inputs and audit-chain contracts are shared under NDA during the evaluation window.

How it works

Six capabilities. One audit trail.

Ordinis is built so the second-line team can do its actual work — not stitch together four disconnected SaaS ledgers with a spreadsheet in between.

Workflow 01

Workflow API

Risks, controls, incidents, access requests, change requests, attestations — one model, one API, one surface for your second-line team.

Audit 02

Append-only audit chain

Every state change is recorded with integrity hashes. Tamper-evident by design. Auditors can read the trail directly, without a data-science round-trip.

Propagation 03

Event propagation

When a policy or control changes, dependent attestations reopen, notifications fire, and related reviews queue themselves — declaratively, with silence windows and dead-letter handling.

Evidence 04

Evidence store

Attach files to any decision. Artefacts are hash-pinned on write. Download is through short-lived signed URLs. Primary storage lives in Zürich.

AI 05

Explainable AI suggestions

Classifications and routing arrive as suggestions with context. Humans accept, dismiss, or override. The model never mutates regulated state on its own.

Access 06

Role + SoD enforcement

Fine-grained permissions and segregation-of-duties validators run before approvals. Drift is detected and surfaced on the permission side, not found during the next audit.

Who it's for

Built for the Swiss regulated perimeter — two wedges first.

Ordinis is tenant-native from the first migration and FINMA-shaped where it counts. During the alpha we're focused on two buyer types.

FINMA-supervised FinTechs

Licensed under FINMA Art. 1b (FinTech licence) or Art. 3 (bank licence). Map your risk register, controls, and incident pipeline to FINMA Circular 2023/1 controls on day one — with the workflow engine the regulator expects to see.

  • ICT operational risk register linked to controls
  • Third-party outsourcing controls + evidence handling
  • Incident classification with AI-suggested banner (human approves)

Asset & wealth managers

FINMA-supervised asset managers and trustees. Run the full audit cycle — Prüfstrategie, Prüfgebiete, Prüfberichte — with Swiss-formatted reports and the audit chain your Prüfgesellschaft will read directly.

  • Prüfgebiet templates + coverage heatmap
  • SoD-enforced finding escalation + carry-forward
  • Annual Prüfbericht artefacts with integrity hashes

Insurance intermediaries and other regulated segments are on the roadmap but are not in the current alpha. We'd rather go deep on two wedges than shallow on five.

Fit check

Who Ordinis is not for.

If one of these describes you, a shorter conversation saves both sides time.

Generic SME compliance

If FINMA, FADP, Swiss audit workflows, and second-line governance aren't central to your operating model, Ordinis is over-specified for you.

Checklist-only GRC

Ordinis is a workflow engine with an audit trail underneath. If you need a policy library to tick boxes against, there are lighter tools.

Spreadsheet replacement without workflow

We don't ship a risk register you fill in manually. Risks connect to controls, incidents, propagation rules, and approvals — or they aren't worth tracking.

What second-line teams get

Core capabilities, plainly described.

What's shipped today. Where a capability is partial or on the roadmap, we say so.

AI-assisted, never AI-decided

Every classification or routing suggestion is written as an audit row with context. Your team accepts, dismisses, or overrides. The model does not mutate regulated state on its own.

Event-driven propagation

Declarative rules express how a change to one entity ripples — reopening attestations, queueing reviews, notifying owners. Dedup gates, silence windows, and dead-letter handling are first-class.

Hosted in Zürich

Primary application and data live in Switzerland. Evidence and generated reports are stored in the same region. Secondary services (observability, some AI) are disclosed per-service, not hidden.

FINMA-shaped entities

Circular 2023/1 controls, BankV Art. 7 outsourcing register, GwG audit points, and Prüfstrategie/-bericht flows are first-class entities — not spreadsheet bolt-ons you paste into the product.

Role + SoD enforcement

Fine-grained permissions ship through a drift-detection pipeline. Segregation-of-duties validators run before state mutation on access requests, change requests, and risk decisions.

Tamper-evident audit chain

Append-only audit log with integrity hashes. Evidence attachments are SHA-256-pinned on write. Auditor-ready exports without a data-scientist in the loop.

Compliance posture

Regulator-shaped. Auditor-defensible.

Each claim below maps to a demonstrable control. Certifications still in progress are listed as such — not implied.

FINMA Circular 2023/1
Operational risk + resilience — mapped in the control catalogue
FADP (Swiss DPA)
Aligned by design; DPIA artefacts supported
GDPR aware
EEA data-subject workflows available
Engineered in Zürich
Product and engineering in Switzerland
Hosted in Switzerland
Application, data, and evidence in ch-dk-2
Tamper-evident audit chain
Append-only log with integrity hashes
Explainable AI suggestions
Context + provenance on every AI row

On the roadmap, not in place: SOC 2 Type II certification, multi-region tenant-configurable residency, independent penetration test report.

Fully shared under NDA: specific FINMA control-to-entity mappings, audit trail schema, evidence integrity model, and AI insertion rubric.

Current alpha scope

Where Ordinis is today, plainly.

We're in private alpha. That changes how you should read everything on this page.

  • Private alpha

    Closed cohort. Access is granted case-by-case after a short conversation.

  • NDA-based evaluation

    All access operates under a bilateral non-disclosure agreement. No public self-serve signup.

  • Core workflows available

    Risks, controls, incidents, access requests, change requests, policy attestations, audit evidence.

  • No public pricing yet

    Pricing is set after the alpha cohort closes and feedback is incorporated.

  • Roadmap is transparent

    Missing capabilities (SOC 2 Type II, multi-region residency, independent pen-test report) are disclosed up front — not hidden behind marketing copy.

FAQ

Things people actually ask.

What stage is Ordinis at?

A private alpha instance runs in Zürich. A small number of design partners are evaluating the first end-to-end workflows under NDA. Public launch, pricing, and broader availability follow once that cohort's feedback is incorporated.

Where is the data stored?

Primary application and data live in Switzerland (Zürich, ch-dk-2). Evidence attachments and generated reports use object storage in the same region. Secondary services (error telemetry via Sentry EU/Frankfurt, some AI APIs) are disclosed per-service — we don't claim blanket Swiss-only hosting.

How does the AI layer work — and is it decision-making?

No. AI is suggestion-only. Classifications, routing, and risk-score attributions arrive as audit rows with context. A human with the right role accepts, dismisses, or overrides. The model does not mutate regulated state on its own — that's an architectural commitment, not a toggle.

How is Ordinis different from a GRC spreadsheet vendor?

Events propagate. When a policy or control changes, dependent attestations reopen, notifications fire, and related reviews queue themselves — declaratively, not manually. Every action is idempotent, audited, and provable against the same data model a regulator would read.

Can I bring my own compliance framework?

Yes. FINMA Circular 2023/1, GwG audit points, BankV Art. 7, and Swiss audit workflows are seeded. New frameworks are configured through the regulation catalogue plus the propagation-rule registry — not hardcoded.

What is not in the current alpha yet?

SOC 2 Type II certification is in progress. Multi-region tenant-configurable residency and an independent penetration test report are roadmap items. Insurance-intermediary workflows are not in the current alpha. ISO/IEC 27001:2022 is already in place — Ordinis is built under Finray's certified information security management system.

Who is behind Ordinis?

Ordinis is built by Finray Technologies Limited, a Cyprus-headquartered financial-technology firm. The core team is based in Zürich and across the EU, combining senior FinTech, compliance, and engineering leadership.

How do I get alpha access?

Request access below. We review each inbound to make sure the pairing is useful for both sides — current cohort is limited to FINMA-supervised FinTechs and asset managers.

Powered by Finray

One platform in the Finray ecosystem.

Ordinis is the flagship governance, risk and compliance product of Finray Technologies — a financial-technology infrastructure provider. While Ordinis is your operational brain for regulatory work, it runs under Finray's ISO/IEC 27001:2022 certified information security management system.

Ordinis is the governance, risk and compliance layer. Other products in the Finray ecosystem extend the same integrity posture to settlement, treasury and reporting workloads.

Explore the Finray ecosystem finray.tech →

Shared with every Finray product

  • Supervisory-aligned Built to the controls auditors actually read — FINMA Circular 2023/1, FADP and the Swiss audit framework are first-class concerns, not retro-fit mappings.
  • Explainability first Model outputs arrive with drivers and regulation references attached. AI stays suggestion-only across the portfolio. Human approval is not a toggle.
  • Integrity by design Append-only audit chains with integrity hashes. Primary application and data hosted in Switzerland. Per-service hosting is disclosed, not hidden.

Finray Technologies is the operating entity behind Ordinis. The same engineering posture extends across the rest of the portfolio.

Private alpha · Design partners under NDA

Become a design partner.

We're working with a small number of FINMA-supervised FinTechs and asset managers under bilateral NDA. If Ordinis fits what your second-line team actually does, we'll provision an isolated tenant and pair for the first two weeks.

partnership@finray.tech See a real workflow first

Inbound messages are processed under our privacy policy. We won't add you to a marketing list. No public self-serve signup.