Legal

Security Policy

How we protect ORA and your data.

Last updated: April 25, 2026

Security is foundational to ORA. As a constitutional AI operating system, ORA handles sensitive agent operations, workflow data, and MCP memory. This policy describes our technical and organizational security measures.

1. Encryption

  • In transit: All data transmitted between your client and ORA is encrypted using TLS 1.3+. HTTP connections are redirected to HTTPS.
  • At rest: Stored session data, MCP memory, and logs are encrypted using AES-256.
  • Model requests: Requests to NVIDIA NIM and other configured model providers are encrypted in transit per the provider’s specifications.

2. Access Controls

  • Authentication: Google OAuth 2.0 with mandatory email verification. API keys use secure random generation.
  • Least privilege: Internal staff access systems only as needed for their role. Production data access is logged.
  • Session management: Authentication tokens expire after 24 hours of inactivity. Forced re-authentication for sensitive operations.

3. Agent Security

  • All agent actions are logged with full audit trails
  • Governance gates prevent unauthorized agent escalation
  • Tool calls to external systems require explicit configuration
  • No agent can access systems outside your configured tool list

4. Incident Response

In the event of a security incident affecting personal data, we notify affected users within 72 hours of discovery, consistent with GDPR requirements. Notification includes nature of the incident, data categories affected, and remediation steps. Full incident policy at Incident Disclosure Policy.

5. Vulnerability Disclosure

If you discover a security vulnerability in ORA, please disclose it responsibly to info@3d3d.ca with “Security Vulnerability” in the subject line. We will respond within 48 hours and work to address confirmed vulnerabilities promptly. We do not take legal action against good-faith security researchers.

6. Compliance Roadmap

  • SOC 2 Type II: Planning phase (target 2027)
  • ISO 27001: Under evaluation
  • GDPR compliance: Active (adequacy decision for Canada)
  • NIST AI RMF: Implemented (see Risk Assessment)

7. Contact

Security questions: info@3d3d.ca — subject “Security.”