Security and hosting posture

Orkestra is built for EU regulated entities subject to DORA, NIS2, and the GDPR. This page summarises our security posture and is offered as diligence material for procurement and risk teams.

Hosting and data residency

Primary hosting: Scaleway Paris (FR). All customer data, including the audit trail and the event store, is stored in the European Union. No customer data is replicated outside the EEA.

Model vendor and Zero Data Retention

LLM inference is provided by Anthropic PBC using the Claude family. Enabled. Orkestra operates under Zero Data Retention with Anthropic: prompts and responses are not retained for training or beyond the duration of the API call.

DORA alignment (Regulation (EU) 2022/2554)

Orkestra maintains a Register of Information in the form required by the Commission Implementing Regulation, published at /legal/dora-register. Contractual arrangements with subprocessors include the provisions required by DORA Articles 28 and 30, including information security, incident reporting within the financial entity's timelines, exit assistance, and audit rights. We operate an ICT risk framework, incident management with notification obligations, and a tested resilience plan.

NIS2 alignment (Directive (EU) 2022/2555)

As a B2B provider to essential and important entities, Orkestra maintains cyber hygiene measures consistent with Article 21 NIS2: policies on risk analysis and information system security, incident handling, business continuity, supply chain security, secure development, access control, cryptography, and multi factor authentication.

Audit trail

Every analyst query produces an immutable audit record including client scope, the prompt excerpt, the model and token counts, and the citations returned. Records are retrievable by URL and printable for supervisory review.

Responsible disclosure

Report a vulnerability to security@orkestra.eu. We acknowledge within two business days and coordinate disclosure with the reporter.