This article explains, in plain language, the security posture of Oryn. For the formal commitment statement, see the Security page. For vendor-security packages (SIG, CAIQ, SOC 2 readiness), contact trust@decoded-systems.com.
Encryption
- At rest: AES-256 encryption on every block in the database and in object storage (R2).
- In transit: TLS 1.3 between your browser and our API, between our API and all third-party services.
Identity and access
- Auth0 manages user identity. We don’t store password hashes; Auth0 does.
- MFA can be enforced per firm. We recommend it on; most of our firms enable it.
- SSO / SAML supported on paid tier for firms that want to centralize identity.
- Session tokens are short-lived (access token ~15 minutes) with refresh tokens rotating on use.
Data isolation
- Per-firm isolation is enforced at the query layer with row-level security.
- Row-level security means a bug in application code that forgot to filter by firm still cannot return another firm’s data.
- No shared tables contain more than one firm’s data.
Audit and accountability
- Every artifact write — documents, pleadings, signatures, time entries, trust transactions — writes an append-only event log entry.
- Audit events are queryable by any user with audit-role permission.
- Authentication events (login, MFA challenge, token refresh) are logged separately.
Webhook integrity
- Every inbound webhook from a third party (Dropbox Sign, LawPay, etc.) is verified by signature or shared secret.
- Duplicate deliveries are deduped via stored event IDs. Replay attacks are not a concern.
Rate limiting and throttling
- Public endpoints are throttled by client IP (
RealIpThrottlerGuard). - Auth endpoints have aggressive throttling to slow credential-stuffing attacks.
SOC 2
- Oryn is SOC 2 aligned — designed against the SOC 2 control framework from day one.
- Policies (access control, change management, incident response, vendor management) are written and being implemented as of April 2026.
- Type II attestation is planned for Q4 2026.