Security & Trust

Enterprise security, built for the region

Your data stays close to home. Our platform is built from the ground up with data sovereignty, compliance, and enterprise-grade security at its core.

Your data stays in the region

Oris AI runs on Vercel's Frankfurt (EU) edge network, the closest supported region to the UAE. Database and vector storage are hosted on Supabase Cloud with data encrypted at rest (AES-256) and in transit (TLS 1.3).

For GCC enterprises requiring on-soil data residency, we offer dedicated Supabase instances in UAE or Saudi Arabia. No customer data is used for model training — Anthropic's Claude processes queries in real time with zero data retention.

Compliance&Certifications

PDPL

Compliant

Saudi Arabia

Saudi Personal Data Protection Law. Full compliance with data localization and consent requirements.

UAE Data Protection

Compliant

United Arab Emirates

Adhering to UAE Federal Decree-Law No. 45 on personal data protection.

SOC 2 Type II

In Progress

Global

AICPA SOC 2 Type II audit. Security, availability, and confidentiality controls.

ISO 27001

Planned

Global

Information Security Management System certification. Planned for 2026.

SecurityArchitecture

End-to-End Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Zero plaintext storage of sensitive customer data.

Tenant Isolation

Multi-tenant architecture with strict row-level security. Each organization's data is logically isolated at the database level.

Audit Logging

Complete audit trail of every action, API call, and data access. Immutable logs retained for compliance and incident response.

SSO & RBAC

Enterprise SSO integration (SAML, OIDC) with role-based access controls. Fine-grained permissions for teams of any size.

HowWeBuiltIt

Clerk SSO & RBAC

SAML/OIDC enterprise SSO with role-based access controls and fine-grained permissions.

Supabase RLS + pgvector

Row-level security isolates every tenant at the database level. Vector search via HNSW index.

AES-256 at Rest

All data encrypted at rest using AES-256. Database backups are also encrypted.

TLS 1.3 in Transit

All connections use TLS 1.3. No plaintext data ever leaves or enters the system.

PII Redaction Pipeline

Phone numbers, emails, IDs, credit cards, and IBANs are auto-detected and scrubbed from logs.

Rate Limiting & SSRF Protection

IP-based rate limiting on all public endpoints. SSRF guards block internal network access and metadata endpoints.

Sub-Processors

Every third-party service that processes data on behalf of Oris AI.

Provider	Purpose	Location	Data Processed
Vercel	Application hosting & edge network	Frankfurt, EU	Request logs, static assets
Supabase	PostgreSQL database & vector storage	Cloud (EU region)	All application data, embeddings
Clerk	Authentication & SSO	US (SOC 2 compliant)	User email, name, session tokens
Anthropic	AI inference (Claude)	US (zero data retention)	Conversation messages (not stored)
Twilio	WhatsApp & Voice channels	US/EU	Phone numbers, message routing
Cohere	Text embeddings	US	Document text (for embedding only)
Cartesia	Text-to-speech	US	Generated speech text
Sentry	Error monitoring	US (SOC 2 compliant)	Error logs (PII scrubbed)

SecurityFAQ

Where is my data stored?

Application data is stored in Supabase PostgreSQL (EU region). The application runs on Vercel's Frankfurt edge network. For GCC enterprises, we offer dedicated database instances in UAE or Saudi Arabia.

Do you have SOC 2 certification?

SOC 2 Type II is currently in progress. Our infrastructure providers (Vercel, Supabase, Clerk, Sentry) are all SOC 2 certified. We expect our own certification by Q3 2026.

Can we sign a Data Processing Agreement (DPA)?

Yes. We provide a standard DPA aligned with UAE Federal Decree-Law No. 45 and GDPR. Contact us at security@getoris.ai or through the form below to request one.

How do you handle PII?

PII (phone numbers, emails, national IDs, credit cards, IBANs) is automatically detected and redacted before logging or analytics. Customer data is never used for model training.

Do you support SSO?

Yes. We support SAML and OIDC-based SSO via Clerk, with role-based access controls (RBAC) for teams of any size. Available on Enterprise plans.

Need more details?

Request our security documentation or schedule a call with our team to discuss your compliance requirements.

Request Security Documentation

Your data stays in the region

Provider

Purpose

Location

Data Processed

Vercel

Application hosting & edge network

Frankfurt, EU

Request logs, static assets

Supabase

PostgreSQL database & vector storage

Cloud (EU region)

All application data, embeddings

Clerk

Authentication & SSO

US (SOC 2 compliant)

User email, name, session tokens

Anthropic

AI inference (Claude)

US (zero data retention)

Conversation messages (not stored)

Twilio

WhatsApp & Voice channels

US/EU

Phone numbers, message routing

Cohere

Text embeddings

Document text (for embedding only)

Cartesia

Text-to-speech

Generated speech text

Sentry

Error monitoring

US (SOC 2 compliant)

Error logs (PII scrubbed)