Security, privacy, and compliance at Orquesta. Transparency about how we protect your data.
Annual third-party audit covering security, availability, and confidentiality trust service criteria.
Full EU data protection compliance. Data Processing Agreement (DPA) available upon request.
California consumer privacy rights. Data deletion and opt-out mechanisms in place.
Business Associate Agreement (BAA) available. PHI handling procedures and encryption in place.
Application security tested against all OWASP Top 10 vulnerability categories.
Data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Keys managed via cloud KMS.
Annual third-party penetration tests conducted by independent security firms. Summary available under NDA.
Automated CVE scanning on every build via Snyk and Dependabot. SAST tooling integrated into CI/CD.
Pre-commit hooks and CI checks prevent accidental secret leakage. No secrets stored in plain text.
Background checks for all employees. Mandatory security training. Least-privilege access with hardware keys.
Documented IR plan with 1-hour acknowledgment for P1 incidents. Postmortem published within 72 hours.
Hosted on AWS and GCP with multi-AZ redundancy. Network isolation, WAF, and DDoS protection enabled.
Third-party services that process data on behalf of Orquesta. All sub-processors have been evaluated for security posture and have Data Processing Agreements in place.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and real-time subscriptions | US (AWS) |
| Vercel | Backup hosting and edge functions | US (AWS) |
| Google Cloud Platform | Primary hosting (Compute Engine) | US Central (Iowa) |
| Stripe | Payment processing | US |
| Resend | Transactional and CRM email delivery | US (AWS) |
| Anthropic | AI model provider (Claude) for Batuta agent mode | US |
| OpenAI | AI model provider (GPT) for Auto/Batuta modes | US |
| DigitalOcean | Customer VM provisioning (Cloud VMs feature) | Various |
Comprehensive overview of our security architecture, controls, and practices.
Latest audit report covering security, availability, and confidentiality. Available under NDA.
Standard DPA for GDPR compliance. Pre-signed template available.
For healthcare customers handling PHI. Required for HIPAA compliance.
How we collect, use, and protect your personal information.
Terms governing use of the Orquesta platform and services.
We take security vulnerabilities seriously. If you discover a security issue in Orquesta, please report it responsibly. We commit to acknowledging reports within 24 hours and providing a fix timeline within 72 hours.