Security & Privacy

Your employees' trust is our product's foundation.

🛡️DPA Ready

✓CCPA Compliant

🌐GDPR Ready

🔒AES-256

🗄️Row-Level Security

🙈Aggregate Only

🕒SOC 2 Planned

Employers never see individual employee data. Ever.

We don't sell your data. We don't advertise. We don't share across companies.

DATA PROTECTION

What ORVI Collects

Display name

Preferences

Check-in data

Card interactions

Opt-in HealthKit

What Employers See

Total enrolled

WAU/DAU

Aggregate check-in rate

Pillar engagement

NOTHING individual

What ORVI Never Does

Never shows individual data

Never sells data

Never advertises

Never shares across companies

TECHNICAL SECURITY

Measure	Detail
Encryption in transit	TLS 1.3
Encryption at rest	AES-256 (Supabase managed)
Auth	Email OTP, short-expiry JWTs
Data isolation	Row-Level Security, company_id enforcement
API security	Cloudflare WAF, rate limiting
Breach notification	24 hours (per DPA)
Data retention	Active during subscription, deleted within 30 days of termination
Data portability	Full JSON export endpoint

COMPLIANCE FRAMEWORK

Framework	Status
HIPAA	Not directly applicable — standalone wellness app. HIPAA-aligned practices adopted voluntarily.
SOC 2 Type I	Planned within 6 months of first paid contract
GDPR	Ready — DPA with Article 28 clauses, data subject rights implemented
CCPA/CPRA	Compliant — no data selling, consumer rights implemented
ADA	Compliant — participation voluntary, no health-contingent incentives
PCI DSS	Handled by Stripe — ORVI never stores card data

DATA PROCESSING AGREEMENT

We provide a pre-signed Data Processing Agreement to all pilot clients.

Sub-processors:

SupabaseOpenAIAnthropicUpstashPostHogStripeFirebaseMuxCloudflare

Security questions? Email security@orvi.ai