← Back to Home

Security & Trust

How we protect your data

Our Commitment

Security is foundational to Ordia. We handle sensitive development data from your Slack, GitHub, and Jira integrations, and we take that responsibility seriously. This page outlines our security practices and infrastructure.

Infrastructure

Amazon Web Services (AWS)

Our core infrastructure runs on AWS, leveraging their SOC 2, ISO 27001, and other compliance certifications. We use multiple availability zones for redundancy.

Supabase

Database and authentication services are provided by Supabase, which is SOC 2 Type II compliant and runs on AWS infrastructure.

Cloudflare

We use Cloudflare for DDoS protection, WAF (Web Application Firewall), and edge caching. All traffic is routed through Cloudflare's network.

Encryption

In Transit

All data transmitted to and from Ordia is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and use HSTS headers.

At Rest

All stored data is encrypted using AES-256 encryption. Database backups are also encrypted.

API Keys & Secrets

OAuth tokens and API keys are encrypted before storage and managed through secure secret management systems.

Access Control

  • Role-based access control (RBAC) for all internal systems
  • Multi-factor authentication required for all team members
  • Principle of least privilege for all access permissions
  • Regular access reviews and revocation of unused credentials
  • Separate production and development environments

Multi-Tenant Architecture

Ordia is built with multi-tenancy in mind:

  • Strict logical separation between customer data
  • Tenant isolation at the database level
  • No cross-tenant data access is possible through the application
  • Customer data is never mixed or co-mingled

Logging & Monitoring

  • Comprehensive audit logging for all system access and changes
  • Real-time monitoring and alerting for anomalies
  • Log retention for security analysis and compliance
  • Automated threat detection systems

Incident Response

We maintain an incident response plan that includes:

  • 24/7 on-call engineering team
  • Documented incident classification and escalation procedures
  • Customer notification within 72 hours for data breaches affecting their data
  • Post-incident review and remediation process
  • Regular incident response drills

AI & Third-Party Security

When processing data through AI systems (OpenAI):

  • Data is transmitted over encrypted connections
  • We have data processing agreements in place
  • AI providers are contractually prohibited from using your data for training
  • Only necessary data is sent to AI systems

Development Practices

  • Secure development lifecycle (SDL)
  • Code review required for all changes
  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring
  • Regular security training for development team

Compliance

We are committed to maintaining compliance with applicable regulations:

  • CCPA/CPRA compliance for California residents
  • SOC 2 Type II certification (in progress)
  • GDPR readiness for EU data subjects

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to security@ordia.dev. We appreciate your help in keeping Ordia secure and will acknowledge receipt within 24 hours.

Questions

For security-related questions or to request additional documentation, contact us at security@ordia.dev.