Security & Compliance · Transparent by default

Built to be
trusted

Ora runs on enterprise-grade infrastructure, handles data with care, and is on a clear path to full compliance certification. Here's exactly what we do and where we're headed.

Compliance status

Where we stand today

We believe in radical transparency. Here's our exact compliance status — the good and the in-progress.

🔐
✓ Achieved
TLS 1.3 Encryption
All data in transit is encrypted using TLS 1.3. HTTPS enforced across all endpoints.
🗄️
✓ Achieved
Encrypted at Rest
All data stored in Supabase (PostgreSQL) with AES-256 encryption at rest.
🌏
✓ Achieved
Australian Data Hosting
Client data stored in AWS Asia Pacific (Sydney) — ap-southeast-2. Data never leaves Australia.
🔑
✓ Achieved
Secret Management
All API keys and credentials stored in Vercel encrypted environment variables. Never in code.
🚫
✓ Achieved
No Training on Client Data
Ora is built on Claude (Anthropic). Client conversations are never used to train AI models.
🗑️
✓ Achieved
Data Deletion on Request
Client data deleted within 30 days of account closure. Brain knowledge purged from all systems.
📋
⏳ In progress
SOC 2 Type I
Certification process underway via Vanta. Expected completion: Q3 2026.
🇪🇺
⏳ In progress
GDPR Compliance
Privacy policy and data handling reviewed for GDPR alignment. DPA available on request.
🏥
Q4 2026
HIPAA Ready
Planned for Q4 2026 to enable Ora deployments in healthcare and allied health.
Security architecture

How we protect
your data

Every Ora deployment is built on the same security architecture. Here's what's protecting your business and your customers' data.

🛡️
End-to-end encryption
TLS 1.3 in transit. AES-256 at rest. Every byte of data between your customers and Ora is encrypted.
🔒
Zero data sharing
Conversation data is never shared with third parties, used for advertising, or sold. Ever.
🇦🇺
Australian data sovereignty
All client data is stored in AWS Sydney (ap-southeast-2). We don't use offshore storage.
🧠
No AI training on your data
Anthropic (Claude) does not use API conversations to train models. Your business knowledge stays yours.
👁️
Access logging
All access to client data is logged with timestamps. Audit trail available on Pro tier.
99.9% uptime infrastructure
Hosted on Vercel's global edge network with Supabase PostgreSQL. Automatic failover and redundancy.
🔐
Minimal data collection
We only collect what's needed. Conversations, lead contact details, and page source. Nothing else.
🗑️
Right to erasure
Clients and their customers can request complete data deletion at any time. Processed within 30 days.
Infrastructure

What Ora is built on

Enterprise-grade components, all the way down.

ComponentProviderStandardLocation
AI ModelAnthropic ClaudeSOC 2 Type II, GDPRUS (data not retained)
DatabaseSupabase (PostgreSQL)SOC 2 Type II, ISO 27001AWS Sydney (ap-southeast-2)
Hosting & EdgeVercelSOC 2 Type II, ISO 27001Global edge, AU region
PaymentsStripePCI DSS Level 1AU data centre
Telephony / SMSSignalWireHIPAA eligible, SOC 2US (AU PSTN)
EmailResendSOC 2 Type IIUS (GDPR compliant)
Voice SynthesisElevenLabsGDPR compliantEU/US
Compliance roadmap

The path to
full certification

We're on a deliberate path to SOC 2 Type II. Here's where we are and where we're going.

Q1 2026 — Complete
Security foundations
Encryption at rest and in transit, secret management, Australian data hosting, access controls, and audit logging implemented.
Q2 2026 — In progress
SOC 2 Type I preparation
Partnering with Vanta to document security controls, policies, and procedures. Security review and gap analysis underway.
Q3 2026 — Planned
SOC 2 Type I certification
External audit by accredited auditor. Report available to enterprise clients under NDA.
Q4 2026 — Planned
HIPAA eligibility + SOC 2 Type II
Ongoing SOC 2 Type II audit period begins. HIPAA-ready configuration available for health and allied health clients.

Security questions?
Talk to the team

Enterprise clients can request our security documentation, DPA, and sub-processor list. We're an open book.

Email Paul → WhatsApp