legal

Security

last updated: 2026-05-07 — ORQRO LLC, Lincolnshire, Illinois, United States

infrastructure

orqro runs on Vercel's edge infrastructure with data stored in Neon Postgres. All data is encrypted at rest using AES-256. All data in transit is encrypted using TLS 1.3.

tenant isolation

Every tenant's data is isolated using PostgreSQL row-level security (RLS). Cross-tenant access is impossible by database design — not just by application logic. We test this adversarially on every release.

per-tenant encryption

Each tenant has a dedicated encryption key. You can rotate your key at any time. We never have access to your plaintext data.

access control

Multi-factor authentication is enforced for all admin accounts. Role-based access control (RBAC) is enforced at every API endpoint. Every access event is logged to an immutable audit trail.

SOC 2 Type II

orqro is pursuing SOC 2 Type II certification. Every system and process has been designed with the audit in mind from day one — not retrofitted. Expected certification: Q3 2026.

vulnerability disclosure

Found a security issue? Please report it to security@orqro.com. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.

incident response

In the event of a security incident affecting your data, we will notify you within 72 hours of discovery, consistent with applicable data protection law.