Security Policy

Last updated: February 2026

OUR APPROACH

Orqa Technologies Incorporated provides person-level intelligence compiled from public sources. The nature of our product requires rigorous security practices across every layer of our infrastructure. We treat security not as a feature but as a precondition for operating in this space.

This page describes our current security posture. If you have questions or need to report a security issue, contact us at security@orqa.co.

DATA PROTECTION

Encryption in transit. All data transmitted between clients and our platform is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints with no fallback to unencrypted connections.

Encryption at rest. All stored data is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

Access controls. Access to production systems and client data is restricted on a least-privilege basis. All access requires multi-factor authentication. Access grants are reviewed quarterly and revoked upon role change or departure.

Audit logging. All access to client data and production systems is logged with immutable audit trails. Logs include timestamp, identity, action performed, and resources accessed. Logs are retained for 12 months.

INFRASTRUCTURE

Cloud infrastructure. Our platform runs on enterprise-grade cloud infrastructure hosted in the United States. We use isolated virtual private networks, security groups, and role-based access controls to segment environments.

Environment separation. Development, staging, and production environments are fully separated. No production data is used in development or testing environments.

Monitoring. We maintain continuous monitoring across our infrastructure for anomalous activity, unauthorized access attempts, and system health. Alerts are routed to our engineering team in real time.

Vulnerability management. We conduct regular vulnerability scanning of our infrastructure and application layer. Critical and high-severity vulnerabilities are prioritized for remediation within defined SLAs.

Dependency management. Third-party dependencies are monitored for known vulnerabilities and updated on a regular cadence. We maintain a software bill of materials for our core platform.

APPLICATION SECURITY

Authentication. Client access to our platform requires authentication via secure credentials with mandatory multi-factor authentication. Session tokens are short-lived and automatically expire.

API security. All API endpoints require authenticated access with scoped permissions. Rate limiting and request validation are enforced on all endpoints.

Input validation. All user-supplied input is validated and sanitized to prevent injection attacks, cross-site scripting, and other common web application vulnerabilities.

Secure development. Our engineering team follows secure development practices including code review, static analysis, and automated security testing as part of our CI/CD pipeline.

DATA HANDLING

Data sources. Orqa compiles intelligence from publicly available sources including regulatory filings, property records, corporate registrations, news archives, academic publications, conference programs, and other public records. We do not purchase data from data brokers or access non-public databases.

Data retention. Client-specific data is retained for the duration of the client relationship and deleted within 90 days of contract termination upon request. Compiled public intelligence is retained and updated on a rolling basis.

Data minimization. We collect only the data necessary to deliver our services. We do not collect or store information that is not relevant to our intelligence products.

Subprocessors. We use a limited number of third-party service providers for infrastructure, analytics, and communication. All subprocessors are evaluated for security practices and bound by data protection agreements. A list of current subprocessors is available upon request.

ORGANIZATIONAL SECURITY

Personnel. All team members undergo background checks and sign confidentiality agreements. Security awareness is part of our onboarding process and reinforced on an ongoing basis.

Incident response. We maintain a documented incident response plan that covers detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting client data, affected clients will be notified within 72 hours.

Business continuity. Our platform is designed for high availability with automated failover. Data is backed up regularly with tested recovery procedures.

COMPLIANCE AND CERTIFICATIONS

We are in the process of pursuing SOC 2 Type II certification. Our security controls are designed to align with the SOC 2 Trust Service Criteria for security, availability, and confidentiality. We will update this page as certifications are obtained.

REPORTING A VULNERABILITY

If you believe you have discovered a security vulnerability in our platform, please report it to security@orqa.co. We ask that you provide sufficient detail for us to reproduce the issue and allow reasonable time for remediation before any public disclosure.

We do not currently operate a formal bug bounty program but appreciate and acknowledge responsible security research.

CONTACT

For security-related inquiries:
security@orqa.co

Orqa Technologies Incorporated
40 W 25th St, Suite 901
New York, NY 10010

Security Policy·Privacy Policy·Terms of Service