Security

Serious security. Stated plainly.

How we protect customer data, how it flows through our system, and what we're honest about not having yet. No compliance theatre, no vague claims — just what's actually in place and what's on the roadmap.

Core controls

What's in place today.

Every item here is live in production right now. Not a roadmap. Not a best effort. Actual controls enforced by the infrastructure or the database layer.

HTTPS everywhere

All traffic between your browser, your visitors' browsers, our servers, and our database is encrypted in transit using TLS 1.3. There is no HTTP-only path.

Encryption at rest

Every byte of customer data in our database is encrypted on disk using AES-256, managed by Supabase — our infrastructure provider. Keys are rotated automatically.

Row-level isolation

Postgres row-level security means one customer's query cannot physically return another customer's data. Isolation is enforced at the database layer, not just in application code.

Encrypted API keys

BYOK keys — your OpenAI, Anthropic, or Gemini keys — are encrypted before storage and never visible after initial entry. Not to us, not to other users, not in logs.

No cross-customer training

Your knowledge base, conversations, and uploaded content are never used to train, improve, or inform any other customer's chatbot, our models, or any third-party AI.

No data selling. Ever.

We don't sell, rent, license, or share customer data with third parties for marketing, analytics, or any other purpose. Your data exists to serve your chatbot's visitors and nothing else.

Data flow

Where your data goes when someone asks a question.

End-to-end path of a single visitor query. Every step happens on infrastructure we've described above — nothing leaves the encrypted chain.

  1. 1

    Visitor asks a question

    The widget sends the question plus the current page URL to our API over HTTPS. No visitor personal data is sent unless you explicitly configure it with the data-orac-context attribute.

  2. 2

    Question is embedded

    We convert the question into a vector representation using OpenAI's embedding model (or your BYOK provider's). The raw question is never stored by the embedding provider.

  3. 3

    Knowledge base is searched

    The embedding is compared against your project's chunks in our Postgres + pgvector database. Row-level security guarantees we only search your chunks — never another customer's.

  4. 4

    LLM generates the answer

    The question plus the retrieved context is sent to the LLM (OpenAI by default, or your BYOK key). The LLM streams a response back token-by-token.

  5. 5

    Response is delivered and logged

    The visitor sees the streaming response in real time. The conversation is saved to your project's database, subject to row-level isolation and available for you to review or delete at any time.

Maximum isolation

With BYOK, the LLM call goes out through your key — not ours.

Bring-your-own-key customers route every LLM request through their own OpenAI, Anthropic, or Gemini account. That means:

  • The LLM provider sees the request as coming from you. Not from AskOrac. Your billing, your rate limits, your contractual relationship.
  • You control logging and retention at the LLM layer. Enterprise OpenAI and Anthropic accounts offer zero-retention and audit-log options — use them and we never see the raw LLM exchange either.
  • You stop sharing the trust boundary. For customers in regulated industries or under strict procurement requirements, BYOK is the path that most reliably passes review.

Honest limitations

Things we don't have yet.

We're a small team shipping a serious product. These are capabilities some enterprise buyers will require that we haven't built or certified yet — we'd rather tell you upfront than surface them in a procurement questionnaire.

No SOC 2, ISO 27001, or HIPAA certification

We implement the controls those audits verify (encryption, access control, data isolation), but we haven't been through a formal third-party audit. If your procurement process requires a certified attestation report before signing, we're not the right fit yet.

No customer-side audit logs as a product feature

We log access to customer data for internal purposes, but customers can't currently query or export those logs through the dashboard. This is on the 2026 roadmap.

No client-managed encryption keys

All encryption currently uses keys managed by our infrastructure provider. If you need to hold your own encryption keys and retain the ability to revoke access cryptographically, wait for Orac Enterprise (self-hosted).

No configurable data retention

Conversations and uploaded content are retained until you delete them. Automatic purge after a fixed period (30/90 days, on-session) is planned but not yet implemented.

Reporting security issues

Found a vulnerability? Email us directly. We don't run a formal bug bounty yet, but we acknowledge valid reports within one business day and work with reporters in good faith.

security@askorac.com

Enterprise & procurement

Need a signed DPA, SLA commitments, specific questionnaire responses, or self-hosted deployment? Tell us what you need.

hello@askorac.com

Related

Data Processing Addendum (DPA)

GDPR + UK-GDPR terms for controller-processor handling.

Privacy Policy

What we collect, why, and how long we keep it.

System Status

Live status of upstream providers, refreshed every 60 seconds.