Orchestra sits in the middle of sensitive customer context — emails, call notes, internal decisions. Security is non-optional. This page summarises how we protect that data today, and what's on the roadmap.
Infrastructure
Orchestra is built on Supabase (Postgres, auth, storage) hosted in AWS. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Tenant data is logically isolated by workspace.
Access & auth
Sign-in is handled through Google OAuth today, with SSO (SAML, OIDC) available on request for pilot customers. Team roles are scoped at workspace and account level.
Integrations
Gmail, Slack, Linear, and similar integrations use OAuth scopes limited to what the surfaces require. You can disconnect any integration from the workspace settings; ingestion stops immediately and derived context is removed within 30 days.
Model providers
We use Anthropic Claude as our primary inference provider. Prompts and outputs are not used to train Anthropic models, per our contract with them.
Compliance
SOC 2 Type I is on the 2026 roadmap. We can sign DPAs and respond to security questionnaires for pilot customers in the meantime.
Reporting an issue
Found a vulnerability? Email security@orchestra.dev. We'll respond within two business days.