Orchra Trust Center
This Trust Center is a single place for security, privacy, data-residency, and AI-governance information for teams evaluating Orchra — including enterprise procurement and Saudi public-sector buyers. For a security questionnaire, DPA, or specific evidence, contact security@orchra.io.
Company identity
| Legal entity | Orchra Technology |
| Commercial Registration (CR) | 012349504 |
| Registered address | Riyadh 13214, Kingdom of Saudi Arabia |
| Security contact | security@orchra.io |
| Privacy contact | privacy@orchra.io |
Data residency
Early-access and application data are stored on our application backend located in the Kingdom of Saudi Arabia, and we aim to keep that data within the Kingdom. The public marketing site is served over Cloudflare's global content delivery network, so request metadata such as IP address may be processed at Cloudflare edge locations outside the Kingdom for delivery and security. Where this constitutes a cross-border transfer under the PDPL, we rely on the transfer mechanisms permitted under the PDPL Transfer Regulations. Full detail is on our Saudi PDPL page.
Security controls
Orchra applies technical and organizational controls appropriate to the risk of an AI-driven revenue platform:
- Encryption in transit across the site and application, with HTTPS enforced and HSTS.
- Access control and least privilege — access is limited to staff who need it, with role-based permissions.
- Audit logging of sensitive actions, including AI agent activity and forecast overrides.
- Vulnerability and dependency management as part of our development lifecycle.
- Incident response with defined breach-notification steps (see Privacy and PDPL pages).
- External attack surface management — subdomain inventory, DNS change governance, email authentication, and security-header hardening. See Security.
AI governance
Because Orchra dispatches AI agents that can act on revenue data, governance is built into the product rather than added on:
- Human approval — agents operate within configured permissions, and sensitive actions can require human sign-off.
- Scoped agent permissions — what an agent is allowed to read and do is explicitly defined and role-based.
- Versioned audit trail — agent actions and forecast overrides are attributed and reversible.
- Data isolation — customer data is logically separated.
- Model-training policy — we do not use your private revenue data to train shared or third-party foundation models.
Privacy
Orchra complies with the Saudi Personal Data Protection Law (PDPL) and its Implementing Regulations, and, for visitors in those regions, the EU and UK GDPR. Individuals can access, correct, delete, and withdraw consent for their data. See the Privacy Policy and the Saudi PDPL page.
Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Content delivery, hosting and security for the marketing site | Global edge network |
| Application backend hosting | Stores early-access and application data | Kingdom of Saudi Arabia |
| Plausible Insights OÜ | Aggregate, cookieless analytics (no personal data) | European Union |
We require each sub-processor to protect your data and to use it only for the purpose we specify, and we will keep this list current.
Compliance roadmap
Orchra is building its security and privacy program to support Saudi enterprise and public-sector procurement requirements. The following are planned or in progress — none is represented as completed or certified at this time:
| Item | Status |
|---|---|
| SOC 2 (Type I → II) | Planned |
| ISO/IEC 27001 | Planned |
| NCA ECC control mapping | In progress |
| NCA CCC (cloud) control mapping | In progress |
| Data Processing Agreement (DPA) | Available on request |
Request information
For security questionnaires, a DPA, sub-processor updates, or procurement evidence, contact security@orchra.io. For privacy requests, contact privacy@orchra.io.