Built for law firms, finance firms, and regulated SMBs.
The single source of truth for how Ordalis handles your data. Procurement teams: everything linked below is what you'd normally ask in a security questionnaire. If something is missing, email [email protected].
Compliance posture
| Framework | Status | Details |
|---|---|---|
| SOC 2 Type II | Roadmap | Controls are designed, coded, and logged (see Security). External audit is the next step. No auditor engaged yet. |
| GDPR / UK GDPR | Supported | DPA with SCC Module 2 available on sign-up. EU residency on the roadmap. |
| HIPAA | BAA on request | Business plan and above. Counter-signed by Ordalis security. |
| CCPA / CPRA | Supported | Right-to-erasure via POST /v1/data/delete-request with 30-day hold window. |
| ISO 27001 | Planned | Targeted after SOC 2 Type II. |
Security controls
Encryption
AES-256-GCM encryption at rest for customer files in R2. TLS 1.2+ in transit, HSTS preload, 2-year max-age. Per-tenant encryption key roadmap in 2026-Q3.
Authentication
PBKDF2 password hashing (100k iterations + per-user salt). TOTP MFA (RFC 6238) with backup codes. Required for platform admins; self-serve for all users.
SSO (OIDC)
Google Workspace, Microsoft Entra, Okta, Auth0. JIT provisioning with domain allowlist. Enforced sign-in blocks password auth for domains you specify. Available on all paid plans.
Multi-tenancy
Every resource is scoped to a workspace. API keys are pinned to the workspace they were created in; leaked keys cannot pivot to other tenants.
Audit trail
Every sensitive action is logged with user, timestamp, IP, and tamper-evident chain hash on export. Metadata encrypted at rest.
Legal hold & retention
Configurable retention per workspace (1 day → 10 years). Legal hold flag preempts auto-deletion. Deletion requests have a 30-day cancellable hold window.
No training on customer data
Third-party inference providers (Anthropic, OpenAI) do not train on API traffic. We pass store: false to OpenAI and rely on Anthropic's default no-training commitment for all paid API tiers. Your documents never become training data.
Documents
Data Processing Agreement (DPA)
EU/UK GDPR-aligned DPA with SCC Module 2 (controller-to-processor). Clickwrap acceptance for any paid plan.
Business Associate Agreement (BAA)
HIPAA BAA available for workspaces handling PHI. Business plan or above. Counter-signed after Ordalis Security reviews the request — turnaround is on a best-effort basis while the BAA process is being formalized.
Subprocessors
Current third parties that may process customer data. We email you at least 30 days before adding any new subprocessor.
Service Level Agreement (SLA)
99.9% uptime target for Business and Enterprise. Credits for sustained outages.
Subprocessors at a glance
The canonical list is the JSON endpoint (versioned, machine-readable). Summary below for convenience.
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Cloudflare | Workers, D1, R2, KV, Email Routing — app, storage, email fallback | US (global edge) | Signed |
| Anthropic | LLM inference for extraction | US | Signed |
| OpenAI | LLM inference fallback | US | Signed |
| Stripe | Billing & payment processing | US | Signed |
| Resend | Transactional email (primary sender) | US | Signed |
Data residency
All customer data is currently stored in US-region Cloudflare D1 (SQLite) and R2 (object storage). EU-region residency is targeted for 2026-Q3. Once live, data_region is a per-workspace setting and reads/writes are pinned to the matching regional stack. Contact [email protected] for early-access pilots.
Reporting a vulnerability
Email [email protected]. We acknowledge within 24 hours on business days. We do not yet operate a paid bug bounty but we credit responsible researchers on this page.