Our security commitment
What Oryn does to protect your client data. A plain-language version lives in the knowledge base as well.
Program
Oryn\u2019s security program is led by engineering leadership with formal policies covering access control, change management, vendor management, vulnerability management, and incident response. SOC 2 Type II readiness is active; attestation is targeted for the next calendar year.
Encryption
- At rest: AES-256 encryption on every database block and object-store object.
- In transit: TLS 1.3 on every network hop.
- Secrets: managed through our hosting provider\u2019s secrets store, rotated on schedule, never committed to source.
Identity
- Auth0-managed identity; Oryn never stores passwords.
- MFA enforceable per firm.
- SSO/SAML available on paid tier.
- Per-firm MFA policies, session timeouts, and account lockout thresholds.
Data isolation
- Row-level security enforced at the database query layer.
- Firm-scoped access tokens.
- All integration tokens stored encrypted, per-firm.
Audit
- Append-only event ledger records every artifact write.
- Authentication events logged separately.
- Audit access available to firm administrators.
Vulnerability management
- Dependency monitoring via Dependabot.
- CVE triage on a defined SLA.
- Responsible-disclosure policy available on request.
Subprocessors
Our processors include Railway (hosting), Cloudflare R2 (object storage), Auth0 (identity), Dropbox Sign (e-signature), LawPay (payments), and Sentry (error tracking). We maintain Data Processing Addenda with each and publish an up-to-date subprocessor list on request.
Incident response
In the event of a security incident affecting your data, we commit to notice within 72 hours of confirmation, with the specifics required by applicable law (GDPR, state breach statutes).