Your data is in good hands
The Trust Center explains concretely how we protect data, govern AI agents and organise compliance. It makes our security posture verifiable, readable and useful for your business, technical and legal teams.
Which security commitments can you verify quickly?
You can quickly verify four structural points: hosting, encryption, agent governance and human oversight. This table provides a concise overview of our position to facilitate internal discussions before a more detailed scoping session with your security, product or compliance teams.
| Topic | Our position | What this means |
|---|---|---|
| Hosting | European infrastructure on Vercel and Supabase, with data hosted in the EU. | Reduces geographic dispersion risks and simplifies the compliance framework for European clients. |
| Encryption | TLS 1.3 in transit, encryption at rest, and data-level access control. | Protects exchanges, limits exposure and strengthens access traceability. |
| Agent governance | Granular permissions, audit logging and digital role cards for every deployed agent. | Prevents agents from holding more rights than necessary and clarifies their scope of action. |
| Human oversight | Human validation on critical actions and the ability to pause or roll back quickly. | Keeps sensitive decisions on the human side and reduces operational risk. |
Which pillars structure our security and compliance?
Our framework rests on six complementary pillars covering hosting, compliance, technical security, agent permissions, human oversight and internal policies. This combination is what converts a security promise into a more robust operating framework.
European hosting
Your data stays in Europe. Our infrastructure relies on Vercel for the application layer and Supabase for the database, with a European anchor consistent with our compliance requirements.
- Vercel, European edge network with points of presence close to France
- Supabase, PostgreSQL hosted in the European Union
- Encrypted backups on European storage
- Architecture designed to keep data close to the business need
GDPR compliance
We treat compliance as a design constraint, not a documentation layer added at the end. Data processing, retention and associated rights are framed from the outset.
- Up-to-date processing register
- Documented retention policy
- Operational access, rectification and erasure rights
- DPA available on request
- Explicit consent for newsletter and analytics cookies
Encryption & security
Data is protected at every stage through encryption, fine-grained access control and zero-trust logic. The goal is to limit exposure, segment permissions and make actions auditable.
- TLS 1.3 for communications
- Encryption at rest for databases
- Row Level Security on Supabase
- Regular key and secret rotation
- Strong authentication for teams
- Logging of sensitive accesses and actions
Agent role cards
Every deployed AI agent has a clearly defined scope. We specify what it can read, write, propose and trigger to avoid overly broad usage and keep the system manageable.
- Scope of action defined per agent
- Read, write and execution permissions limited
- Usage budgets and operational guardrails
- Full action logging
- Regular permission reviews
Human oversight
Our Human in the Loop approach keeps humans at the centre of critical decisions. Agents accelerate execution, but final validation and arbitration remain with your teams and business owners.
- Human validation on critical actions
- Configurable approval workflow
- Real-time supervision dashboard
- Alerts on abnormal behaviour
- Pause and rollback available
- Detailed activity reports
Security policy
Our operations are underpinned by an internal policy covering access, incidents, data protection, business continuity and development security. This discipline is essential for long-term resilience.
- Access and identity management
- Data classification and protection
- Security incident response
- Business continuity and recovery
- Development security
- Security training and awareness
Where do we stand on certifications and the security roadmap?
We follow a logic of continuous progression on compliance, security and audit frameworks. This section shows where we are already aligned, what is in progress and what remains planned to strengthen the framework over time.
Risk classification, documentation and transparency requirements addressed.
Processing register, data subject rights and contractual framework available.
Ongoing structuring of practices to reach a higher standard of requirements.
Requirements reviewed in line with sub-processors and the evolution of the internal framework.
External campaigns planned with an independent firm to reinforce verification of the framework.
How does data flow through our architecture?
Data flows between the client, the application layer and the database within an encrypted and supervised framework. The goal is to reduce exposure points, make access readable and explicitly govern AI model calls where necessary.
Data and AI model calls
Calls to external models are governed with a data minimisation and anonymisation logic where possible. The goal is to limit exposure of sensitive information and keep usage governance on the client and infrastructure side.
What questions come up most often about security?
The questions below are frequently raised by prospects and clients who want to understand how we handle hosting, permissions, potential agent errors and the contractual framework for data protection.
Where is my data stored?+
Do AI agents have access to all my data?+
What happens if an AI agent makes a mistake?+
Can I obtain a DPA?+
How do I report a vulnerability?+
Need an answer on security or GDPR?
If you need clarification on hosting, compliance, permissions or agent governance, we can respond in more detail and with context based on your environment, constraints and internal requirements.
Contact: sales@orchestraintelligence.fr, reply within 48 business hours