Security
The technical and organizational controls Oryn uses to protect your client data.
This page is Oryn’s formal security commitment. A plain-language version, written for you or your firm’s vendor-review process, lives in the knowledge base.
Program
Oryn’s security program is led by engineering leadership with formal policies covering access control, change management, vendor management, vulnerability management, and incident response. Oryn is SOC 2 aligned today; Type II attestation is planned for Q4 2026.
Encryption
- At rest: AES-256 encryption on every database block and object-store object.
- In transit: TLS 1.3 on every network hop.
- Secrets: managed through our hosting provider’s secrets store, rotated on schedule, never committed to source.
Identity
- Auth0-managed identity; Oryn never stores passwords.
- MFA enforceable per firm.
- SSO/SAML available on paid tier.
- Per-firm MFA policies, session timeouts, and account lockout thresholds.
Data isolation
- Row-level security enforced at the database query layer.
- Firm-scoped access tokens.
- All integration tokens stored encrypted, per-firm.
Audit
- Append-only event ledger records every artifact write.
- Authentication events logged separately.
- Audit access available to firm administrators.
Vulnerability management
- Dependency monitoring via Dependabot.
- CVE triage on a defined SLA.
- Responsible-disclosure policy available on request.
Subprocessors
Our processors include Railway (hosting), Cloudflare R2 (object storage), Auth0 (identity), Dropbox Sign (e-signature), LawPay (payments), and Sentry (error tracking). We maintain Data Processing Addenda with each and publish an up-to-date subprocessor list on the subprocessors page.
Incident response
In the event of a security incident affecting your data, we commit to notice within 72 hours of confirmation, with the specifics required by applicable law (GDPR, state breach statutes).