// PRIVACY, TERMS & SECURITY
How we protect
your data.
Our full privacy policy, terms of service, and security practices — updated February 11, 2026.
Our commitment to security
At ORiON, security isn't an afterthought — it's foundational to everything we build. Your workforce data is sensitive, and we treat it with the highest level of protection. Just like our formulas, our security practices are transparent and auditable.
Infrastructure & architecture
Vercel — Enterprise infrastructure
- Enterprise-grade cloud infrastructure
- Redundant systems across multiple availability zones
- DDoS protection and traffic filtering
- Automated failover for high availability
- All data hosted within U.S.-based regions
MongoDB Atlas
- Native encryption at rest
- Encrypted backups with secure retention policies
- Multi-tenant architecture with strict logical separation
- Geographic redundancy
- Point-in-time recovery capabilities
Clerk — Auth & identity management
- Secure login flows
- Multi-factor authentication (MFA)
- Single Sign-On (SSO)
- Session management with automatic timeout
Network security
- Firewalls and intrusion detection systems
- Network segmentation and isolation
- Regular penetration testing
- Vulnerability scanning and patching
Data encryption
- TLS 1.3 encryption standard for all data transmission
- HTTPS enforced across the entire platform
- Secure WebSocket connections for real-time features
- AES-256 encryption via MongoDB Atlas native encryption
- Encrypted database backups
- Secrets, API keys, and credentials stored using encrypted environment variables
- Secure handling of integration tokens with encryption at rest
Access control & authentication
- OAuth 2.0 industry-standard protocol
- Google Sign-In integration
- Multi-factor authentication (MFA) available
- Session management with automatic timeout
- Account lockout after failed login attempts
- Encrypted password storage — not readable by anyone, including ORiON staff
- Administrators — Full platform access and integration management
- Members — Limited to dashboards and personal features
- Granular permissions prevent unauthorized data access
- Production data access limited to authorized personnel only
- All access is logged and auditable
Data ownership, retention & deletion
- Customers retain full ownership of all data within the platform
- Full data export available at any time via Settings › Data Export (CSV or PDF)
- Data retained for 30 days post-termination, then permanently deleted
- Customers may request immediate data deletion at any time — email
support@applybyorion.com - Audit logs retained for 1 year
- ORiON does not use customer data to train AI models for other customers
Incident response
ORiON maintains 24/7 security monitoring, automated threat detection, and real-time alerts. If a security incident affects your data, we will notify you within 72 hours of discovery, provide details of what happened, explain the steps we're taking, and offer guidance on protective actions.
Subprocessors
We use carefully vetted subprocessors, all bound by strict confidentiality and security requirements:
Vulnerability reporting
If you discover a security vulnerability, please email support@applybyorion.com with the subject “Security Vulnerability Report.”
- We acknowledge reports within 48 hours
- We investigate promptly and credit researchers (with permission)
- We do not take legal action against good-faith security research
Questions about security?
Email support@applybyorion.com with the subject “Security Inquiry.” We typically respond within 2–4 business hours.