Security at Orphica
Last updated 2026-05-24
Orphica is a business CRM and Marketing OS — every workspace stores customer records, pipelines, and confidential context. This page summarises how we protect that data and what controls you have as a customer.
Encryption
All data in transit is TLS 1.2+. All data at rest is AES-256, including the primary database, file storage, and backups. Encryption keys are rotated annually and stored in AWS KMS.
Field-level encryption for OAuth tokens stored against integrations: tokens are encrypted with a workspace-derived key before being persisted, so a database leak alone wouldn't expose live credentials.
marketing.security.sections.encryption.p3
marketing.security.sections.encryption.p4
Row-level security
Every customer-facing table is protected by Postgres row-level security policies that gate reads and writes by workspace_id. A member of one workspace cannot, by construction, read or write another workspace's rows — even via the public API.
We re-test RLS policies in CI on every database migration. A failing policy fails the build.
marketing.security.sections.rls.p3
marketing.security.sections.rls.p4
Region pinning
By default workspace data is stored in the AWS region closest to the workspace owner at signup. Enterprise customers can pin a specific region — currently US (us-east-1), EU (eu-west-1), or APAC (ap-southeast-1) — and we guarantee data, backups, and AI-provider inference stay within that region for the lifetime of the contract.
marketing.security.sections.regions.p2
marketing.security.sections.regions.p3
marketing.security.sections.regions.p4
SOC 2 Type II
We complete annual SOC 2 Type II audits covering Security and Availability. Reports are available under NDA — email security@orphica.app to request the current report and gap analysis.
marketing.security.sections.soc2.p2
marketing.security.sections.soc2.p3
marketing.security.sections.soc2.p4
Subprocessors
We use a small set of subprocessors to run the service: Supabase (managed Postgres + auth + file storage), Vercel (hosting), Stripe (billing), Hypereal (AI model gateway), Inngest (workflow execution), Resend (transactional email when enabled). Each is bound by a data-processing agreement and the list is reviewed quarterly. Material changes are announced 30 days in advance.
marketing.security.sections.subprocessors.p2
marketing.security.sections.subprocessors.p3
marketing.security.sections.subprocessors.p4
Responsible disclosure
Found a vulnerability? Email security@orphica.app with details and a proof of concept. We respond within one business day, will not pursue legal action against good-faith research, and will credit reporters in our public Hall of Fame unless asked otherwise. Critical issues are patched within 7 days; high-severity within 30.
marketing.security.sections.disclosure.p2
marketing.security.sections.disclosure.p3
marketing.security.sections.disclosure.p4