Security
Honest, current-state security posture.
Two lists below: what is actually in the code today, and what we are explicit about not having yet. If a claim is on the wrong list, please tell us.
Trust controls
Tenant ACME verified
RBAC
Active
Audit chain
Verified
AI budget
72% used
Data stores
Isolated
Shipped today
What is live in the platform now
Every entry maps to merged code. Nothing here is aspirational.
Identity & access
JWT issuance with refresh-token rotation; revocation list in Redis; per-form ACL with OWNER/EDITOR/REVIEWER + USER/ROLE/TEAM principals; gateway-side path allowlist.
Tenant isolation
Every persistence call is filtered by tenant_id propagated through TenantContext (set from JWT). PostgreSQL row-level security policies live on sensitive tables; gateway rejects requests without a tenant claim.
Audit integrity
Tamper-evident hash chain over the audit log with a Super Admin verification endpoint; per-form audit trail with actor attribution; the same audit feed is exposed tenant-scoped under Settings → Audit log.
Usage governance
Plan-tier quotas enforced at write-time on user-create, invite, and form-create (HTTP 402 on overflow); feature flags with deterministic canary cohorts; AI cost/usage events recorded per call.
Resilience
Attachment storage roots under a persistent home directory by default (not /tmp); scripts/backup.sh ships a pg_dump + tar-of-files routine with rotation; trial enforcement filter soft-locks expired tenants on writes only.
Transport & content hardening
X-Frame-Options=DENY, X-Content-Type-Options=nosniff, Referrer-Policy, and a CSP baseline. Attachment downloads force application/octet-stream + nosniff + sandboxed CSP. Inbound webhooks (comms, Stripe) verified by HMAC-SHA256 with constant-time compare.
On the roadmap
What we have not built yet
We would rather tell you up-front than discover this together during a procurement review.
MFA / SSO
User columns exist; TOTP enroll/verify endpoints and OIDC (Google first) are the next identity milestone. Today users authenticate with email + password.
CSP enforce mode
CSP currently runs report-only while we tune the directive set. Will move to enforce mode after a quiet period in the report stream.
Tenant-RBAC matrix
Per-form ACL is live and stricter than role-based defaults; the tenant-wide owner/member/viewer role matrix is rolling out next.
Observability & SOC
Actuator + Prometheus exposure is wired; correlation-ID MDC logging, dashboards, and security monitoring are scheduled. A SOC partner has not been selected.
Third-party pen test
No external penetration test has been completed. We expect to run the first engagement before GA.
Compliance certifications
SOC 2 / ISO 27001 are not yet certified. The product is designed against the controls but the audits are not done.
Report a vulnerability
Found something that looks wrong? Please email security@orkestra.ai with as much detail as you can share. We aim to acknowledge reports within one business day and to keep you updated through resolution. Coordinated disclosure is welcomed and we will not pursue legal action against researchers acting in good faith.
Enterprise ready
See Orkestra against your real workflows.
Bring one process, one form, and one approval path. We will map the operating model and show how the platform fits.