Security at Oraion


At Oraion, we emphasise a security-first culture that initiates with the employee onboarding process and promotes accountability at every organisational level to ensure the protection of customer data privacy. All team members are required to undergo extensive data security training and adhere to internal policies that align with our compliance with SOC 2 standards. 


Oraion Core Security Principles

  • End-to-End Encryption: All data is encrypted during transmission (using TLS) and is also secured at rest.

  • Authentication: Multi-factor authentication (MFA) is required for all sensitive systems.

  • Access Control: Role-based access control (RBAC) is enforced across services using SCIM, with access granted on the principle of least privilege.

  • SSO Enforcement: Secure single sign-on (SSO) processes are integrated across our internal systems and development pipelines.

  • Audit and Monitoring: We maintain audit logs and continuously monitor for anomalies and unauthorised access.


Oraion Data: Built with Security at the Core

The architecture of Oraion is designed to prioritise security from its inception. Database credentials are securely stored in an encrypted vault. When a query is executed, Oraion efficiently retrieves results from your data warehouse and returns them to an isolated bastion service, with optional caching available. 


A distinguishing feature of Oraion is our commitment to reducing data movement and enforcing least-privilege access.


Workspace administrators possess granular control over access, including oversight of database connections, project visibility, and edit permissions.


Oraion seamlessly integrates with major Single Sign-On (SSO) providers, including Google Workspace, OKTA, and OIDC. Our rigorous access control model effectively addresses stringent regulatory and privacy requirements, making us an ideal option for organisations governed by GDPR, HIPAA, and other data protection frameworks. The comprehensive control structure of Oraion encompasses:

  • User Roles: Clearly defined capabilities that determine the actions users can perform and the default permissions they inherit.

  • Data Access: Restrictions on access to specific data sources; users are permitted to interact only with connections shared with them.

  • Project Access: Project owners have the authority to manage collaborator permissions, thereby controlling access to both data and application logic.


Oraion Deployment Options

For organisations with specific regulatory or privacy requirements, Oraion provides exclusive single-tenant deployment options in the AWS region of their choice, ensuring dedicated resource usage.


Oraion Data Storage

Oraion uses AWS for both data processing and storage. All data is encrypted both at rest and in transit. We implement AES 256-bit encryption for stored data, which includes credentials, file uploads, and cached results. Additionally, we utilise TLS version 1.2 or newer for all network traffic.


Oraion Internal Access Controls

Oraion follows the principle of least privilege, meaning that only engineering or support personnel who need operational access are given permission to view customer data, and this access is granted solely in response to a support case. All access events are logged in detail. Access is managed centrally through an Identity Provider (IdP), and single sign-on (SSO) is used whenever possible. Authorisation is handled through infrastructure-as-code, and all access to production and customer data is protected by multi-factor authentication (MFA) and requires multi-reviewer approvals for any permission changes. Clients maintain ownership of their data; Oraion does not sell, exploit, or use client data for any purpose other than providing support and improving the overall product experience.


Oraion Application Security

Oraion employs advanced Software Composition Analysis (SCA) and Static Application Security Testing (SAST) methodologies to identify vulnerabilities within our codebase and its dependencies. Each pull request is subject to automated evaluations aimed at detecting bugs, security vulnerabilities, and issues related to code quality. Modifications to the production environment are processed through protected branches and necessitate multiple levels of review prior to deployment through automated pipelines. Following deployment, our engineering team diligently monitors real-time system health metrics to ensure both stability and security.


Oraion Compliance and Standards

Oraion is SOC 2 Type II certified, reflecting our commitment to data security, availability, and confidentiality.
Our policies and internal controls are aligned with leading industry standards and security frameworks. We operate in compliance with GDPR and other applicable data protection laws.


Vulnerability Disclosure

We encourage responsible disclosure of any vulnerabilities or security concerns.
If you have identified a potential issue, please contact us: incidents@oraion.com We will investigate all reports promptly and transparently.


Whistleblower Protection

Oraion supports ethical reporting of legal or compliance concerns. We strictly prohibit retaliation against any individual who raises an issue in good faith.


Continuous Improvement

Security is an ongoing effort. We regularly update our practices in response to emerging threats, regulatory changes, and evolving technologies.


We know trust is earned. We are committed to earning it every day.