This article explains, in plain language, the security posture of Oryn. For the formal commitment statement, see the Security page. For vendor-security packages (SIG, CAIQ, SOC 2 readiness), contact trust@decoded-systems.com.
Encryption
- At rest: AES-256 encryption on every block in the database and in object storage (R2).
- In transit: TLS 1.3 between your browser and our API, between our API and all third-party services.
Identity and access
- Auth0 manages user identity. We don\u2019t store password hashes; Auth0 does.
- MFA can be enforced per firm. We recommend it on; most of our firms enable it.
- SSO / SAML supported on paid tier for firms that want to centralize identity.
- Session tokens are short-lived (access token ~15 minutes) with refresh tokens rotating on use.
Data isolation
- Per-firm isolation is enforced at the query layer with row-level security.
- Row-level security means a bug in application code that forgot to filter by firm still cannot return another firm\u2019s data.
- No shared tables contain more than one firm\u2019s data.
Audit and accountability
- Every artifact write \u2014 documents, pleadings, signatures, time entries, trust transactions \u2014 writes an append-only event log entry.
- Audit events are queryable by any user with audit-role permission.
- Authentication events (login, MFA challenge, token refresh) are logged separately.
Webhook integrity
- Every inbound webhook from a third party (Dropbox Sign, LawPay, etc.) is verified by signature or shared secret.
- Duplicate deliveries are deduped via stored event IDs. Replay attacks are not a concern.
Rate limiting and throttling
- Public endpoints are throttled by client IP (
RealIpThrottlerGuard). - Auth endpoints have aggressive throttling to slow credential-stuffing attacks.
SOC 2
- Oryn is in the readiness program for SOC 2 Type II.
- Policies (access control, change management, incident response, vendor management) are written and being implemented as of April 2026.
- Expect attestation in the next calendar year.