Security Overview

1. Infrastructure & data architecture

ORiON is a cloud-native, multi-tenant platform designed with strict data isolation and secure infrastructure controls.

• Hosted on Vercel with enterprise-grade infrastructure
• Data stored in MongoDB Atlas with native encryption at rest
• Multi-tenant architecture with strict logical separation between customer environments
• All data hosted within U.S.-based regions
• Authentication and identity management handled via Clerk

2. Data security & encryption

ORiON enforces encryption across all layers of the platform to protect data in transit, at rest, and in backup systems.

In transit

• Data in transit encrypted using TLS 1.2+ (TLS 1.3 standard)
• HTTPS enforced across the entire platform
• Secure WebSocket connections for real-time features

At rest

• Data at rest encrypted via MongoDB Atlas native encryption
• Encrypted backups maintained with secure retention policies
• Secrets, API keys, and credentials stored using encrypted environment variables
• Secure handling of integration tokens with encryption at rest

3. Access control & identity management

Internal controls

• Production data access limited to authorized personnel only
• Least-privilege access enforced across all systems
• All access is logged and auditable

Customer controls

• Full role-based access control (RBAC) with configurable permissions
• Authentication managed via Clerk — supporting secure login flows, MFA, and SSO
• Session management with automatic timeout
• Account lockout after failed login attempts

4. Integrations & data handling

ORiON is built to securely integrate with external HR, CRM, and operational systems while minimizing data exposure.

• OAuth 2.0 used for secure authentication with third-party systems
• Permissions are strictly scoped to required data access
• Integrations are read-only by default
• API-first architecture ensures controlled and auditable data exchange
• Fallback methods only used within customer-approved boundaries

5. Data ownership, retention & privacy

• Customers retain full ownership of all data within the platform
• Full data export capabilities available at any time
• Customers may request data deletion at any time
• Data retained for 30 days post-termination, then permanently deleted
• ORiON does not use customer data to train AI models

6. GDPR compliance & data protection

ORiON is fully GDPR compliant and designed to support international data protection requirements.

• Supports data subject rights — access, rectification, deletion, and portability
• Ensures lawful processing of personal data under defined legal bases
• Applies data minimization principles across integrations and storage
• Enables customer control over data access and deletion workflows
• Processes data in alignment with customer-defined policies and permissions

7. Security practices & risk management

ORiON follows a proactive, layered approach to security and risk management.

• Ongoing internal security reviews and audits
• Regular vulnerability scanning
• Periodic penetration testing (internal and informal)
• Active incident response plans and procedures
• Continuous monitoring of system access and activity
• Incident notification within 72 hours of discovery

8. Compliance roadmap

ORiON continues to expand its enterprise compliance posture.

• SOC 2 compliance planned, with process initiation in the near term
• Ongoing enhancements aligned with enterprise security and compliance expectations
• GDPR and CCPA compliant today

Questions about security? Email support@applybyorion.com with subject "Security Inquiry." We typically respond within 2–4 business hours.