Security you can prove to your auditor.
Six certifications, all externally audited.
Download the most recent report for each framework under NDA. Reports are refreshed on the audit cadence and archived for seven years.
SOC 2 Type II
Security, Availability, Confidentiality
- Auditor
- Ernst & Young
- Last audit
- January 2026
ISO/IEC 27001:2022
Information Security Management System
- Auditor
- BSI Group
- Last audit
- November 2025
ISO/IEC 27017
Cloud services security controls
- Auditor
- BSI Group
- Last audit
- November 2025
GDPR
EU data protection — Controller & Processor
- Auditor
- External DPO attestation
- Last audit
- February 2026
HIPAA
BAA available for healthcare customers
- Auditor
- Schellman & Co.
- Last audit
- December 2025
CCPA / CPRA
California consumer privacy
- Auditor
- OneTrust assessment
- Last audit
- February 2026
Six control domains, mapped to the frameworks above.
Each control is evidenced in the SOC 2 Type II report and traced to the ISO 27001 Annex A reference. No marketing-only claims.
Access control
- SAML 2.0 SSO with Okta, Azure AD, Ping, Auth0
- SCIM 2.0 provisioning with group-based RBAC
- MFA enforced on all admin consoles
- Just-in-time access for support engineers
- Session binding to device posture
Data protection
- AES-256-GCM at rest across all object and block storage
- TLS 1.3 in transit with modern cipher suites only
- Field-level encryption for PII and financial data
- Envelope encryption with per-tenant data keys
- Bring-your-own-key (BYOK) on Elite tier
Infrastructure
- Per-tenant isolated VPCs on Enterprise and Elite
- Multi-region active-active with conflict-free replication
- Hardware security modules (HSM) for key custody
- Immutable infrastructure via signed build artifacts
- Zero persistent access for engineers in production
Monitoring
- 24/7 SOC with a global follow-the-sun rotation
- SIEM coverage across control and data planes
- Anomaly detection on API access patterns
- Customer-facing audit log streaming (Splunk, Datadog, Sumo)
- Quarterly penetration tests by independent firms
Incident response
- One-hour SLA for initial customer notification
- Dedicated incident runbook per severity level
- Post-mortem published within 5 business days
- Named escalation path for enterprise customers
- Tabletop exercises run quarterly with simulated scenarios
Business continuity
- RTO 1 hour, RPO 15 minutes on Enterprise tier
- RTO 0, RPO 0 on multi-region active-active Elite
- Disaster recovery tested quarterly with failover drills
- Backup retention configurable from 30 to 730 days
- Independent third-party BCP audit annually
Four geographies, seven physical regions.
Data is pinned to your primary geography and never leaves without explicit written consent. Network-level controls block cross-region transfers.
European Union
- Regions
- Frankfurt, DEAmsterdam, NL
- Framework
- GDPR · Schrems II addendum
- Sovereignty
- Data never leaves the EU under EU tenancy.
United States
- Regions
- Virginia (us-east)Oregon (us-west)
- Framework
- SOC 2 Type II · HIPAA
- Sovereignty
- DPF-certified for transatlantic transfers.
Asia Pacific
- Regions
- SingaporeSydney
- Framework
- PDPA (Singapore) · IRAP aligned
- Sovereignty
- Data resident in-region with local backups.
United Kingdom
- Regions
- London
- Framework
- UK GDPR · ICO registration
- Sovereignty
- Data resident in-country post-Brexit.
Responsible disclosure, paid on the merits.
Our private program on HackerOne pays bounties from $500 for a confirmed low-severity issue to $50,000 for a critical authentication or data-exposure finding. Reports are acknowledged within one business day, triaged within three, and paid on confirmation.
- Safe harbor for good-faith research, documented in the policy.
- Public Hall of Fame for researchers who opt in.
- Direct contact: security@ordentra.com (PGP key available)
Information disclosure without sensitive impact, minor configuration findings.
Stored XSS in admin views, authorization gaps within a single tenant.
Privilege escalation, tenant isolation bypass, or significant data exposure.
Remote code execution, authentication bypass, or cross-tenant compromise.
The paperwork you need, where your legal team will look for it.
Standard contracts and disclosures maintained in one place. Updates are published with a thirty-day lead time baked into the DPA.
Enterprise customers have a contractual right to audit.
Enterprise and Elite contracts include an explicit right to audit ORDENTRA’s controls once per calendar year at your expense. We’ll support the audit with documentation, interviews, and scoped access to evidence artifacts — typically completed within four weeks of a written request.
For customers without capacity to run an audit themselves, we provide our SOC 2 Type II and ISO 27001 reports under NDA, along with a pre-filled Cloud Security Alliance CAIQ questionnaire and responses to the Shared Assessments SIG-Core.
Questions your security team always asks, answered on the record.
Pulled directly from the last forty enterprise security reviews we completed. Answers written by the trust team, not marketing.
Do you sign our Data Processing Agreement (DPA)?
Yes. ORDENTRA publishes a standard DPA that covers GDPR Article 28, UK GDPR, CCPA, and the EU Standard Contractual Clauses in one document. Enterprise customers can negotiate addenda for sector-specific requirements, including HIPAA BAA, financial services control attestations, and public-sector FedRAMP-aligned controls.
Where is my data stored and can I pin it to a specific region?
Yes. Every tenant is provisioned in a primary region (EU, US, APAC, or UK) and data never leaves that geography without explicit written consent. Backups, logs, and analytical extracts are pinned to the same region. Cross-region transfers for support operations are blocked at the network level and auditable in the access log.
How is production access controlled and logged?
Engineers have zero standing access to production. All operational access is just-in-time, approved by a second engineer, scoped to a single case, and automatically revoked within four hours. Every session is recorded at the command level and streamed to the customer-facing audit log on Elite tier.
What happens during a security incident?
A detected incident triggers the runbook within minutes. Customers are notified within one hour of confirmed impact via the named contact and the in-product banner. A post-mortem is published to the status page within five business days with a root cause, corrective actions, and verification artifacts.
Can I bring my own encryption keys?
Yes, on the Elite tier. Bring-your-own-key (BYOK) integrates with AWS KMS, Azure Key Vault, and Google Cloud KMS. Keys are rotated on your schedule and revocation suspends new cryptographic operations within sixty seconds.
Do you participate in the bug bounty ecosystem?
Yes. ORDENTRA runs a private bug bounty program on HackerOne with bounty ranges from $500 to $50,000. Reports from outside the program are also honored through the security@ordentra.com address and resolved on the same SLA.
Who are your sub-processors and how do I stay informed of changes?
The current sub-processor list is published at /subprocessors and covers hyperscaler infrastructure, email delivery, monitoring, and support tooling. Customers can subscribe to a change feed that announces new sub-processors thirty days before they go into effect, with an opt-out window baked into the standard DPA.