Trust & security.

Public transparency page on Orkelia's infrastructure, compliance and GDPR commitments. Last updated May 18, 2026.

Stack and hosting

ComponentProviderRegion / certification
DatabaseSupabaseAWS eu-west-3 Paris (infrastructure)
Front + Edge runtimeVercelFrankfurt / Paris (CDN proxy), code under physiopros-projects
Transactional emailResendEU region, public Resend DPA
LLM agent (long text)Anthropic Claude Sonnet 4.6Zero retention enabled (no model training)
LLM classification (replies)Anthropic Claude Haiku 4.5Zero retention enabled
PaymentStripePCI-DSS L1, Stripe Climate

GDPR — verifiable commitments

  • European hosting · data stored exclusively on AWS eu-west-3 Paris (Supabase project ID: ykafzpuxicvgatdluuel)
  • EU hosting · AWS eu-west-3 (Paris) infrastructure. The Orkelia layer itself is not HDS-certified — and no health data is processed (see DPA).
  • DPA provided before signing · EU standard contract on request at dpo@orkelia.com
  • Zero retention LLM · Anthropic neither stores nor trains on your data (Enterprise clause)
  • Pre-LLM anonymization · sensitive patient data (name, SSN, allergies) is pseudonymized before being sent to the model
  • Right of access · full JSON export within <30 days on email request (GDPR Art. 15)
  • Right to erasure · DB + logs + backups purge within <30 days (GDPR Art. 17)
  • Audit logs · 12-month retention of admin/super-admin access
  • Breach notification · <72h in accordance with GDPR Art. 33
  • Declared sub-processors · exhaustive list in the DPA (Supabase, Vercel, Resend, Anthropic, Stripe)
  • Full reversibility · DB export in SQL/JSON, complete deletion after the contractual period
  • TOTP 2FA · enabled on all accounts; SAML SSO available on the Group plan

Application security

Authentication

Email + magic link via Supabase Auth, optional TOTP 2FA, signed JWT sessions with rotation, 7-day expiry.

Tenant isolation

PostgreSQL Row-Level Security on all sensitive tables. Automated tenant-isolation tests on every deploy.

Encryption

TLS 1.3 in transit, AES-256 at rest (Supabase + AWS RDS). Secrets in Vercel's encrypted vault, never in cleartext in the repo.

Anti-spam honeypot

All public forms (audit, partners, agent-sur-mesure, clinique-group) include a honeypot field. Bots filtered silently.

Security headers

HSTS, X-Frame-Options, X-Content-Type-Options, strict Permissions-Policy. CSP being hardened (report-only mode).

Dependencies

Automated npm audit on every deploy. Committed lockfile. Critical major upgrades (auth, crypto) reviewed manually.

AI — usage and guardrails

Models used

Orkelia uses two main Anthropic models: Claude Sonnet 4.6 for generation tasks (writing personalized drafts, agent conversations) and Claude Haiku 4.5 for classification tasks (categorizing incoming replies, identifying intent). No OpenAI/Google model is used in production.

Zero retention

Anthropic's "zero retention" option is enabled by default on all Orkelia LLM calls. Inputs and outputs are neither stored at Anthropic nor used to train the models. Contractual commitment via Enterprise clause.

Pre-LLM anonymization (health)

For Orkelia Clinic workspaces, an anonymization pipeline runs before every LLM call: pseudonymization of patient names, masking of social security numbers, abstraction of severe allergies into a category. The LLM sees a de-identified representation.

Business guardrails

The agent can never invent a price, an agenda slot or a doctor that doesn't exist in the database. Tool-use tools are explicitly whitelisted (max 9 tools per workspace). Hallucinations blocked by a post-generation check.

Human escalation

On sensitive topics (medical emergency, contractual request, complaint) the agent automatically escalates to you (SMS to mobile + dashboard). The agent never makes a medical or contractual decision on its own.

Independent audit

On May 17, 2026, Orkelia was audited by an independent consultant and scored 71/100 — "mature, more advanced than the market average at this stage of development". Detailed report available on request at alexandre@orkelia.com.

An ISO 27001 certification is planned for Q3 2026 for Group and Enterprise accounts.

Contacts

GDPR audit of your current stack?

30 min video call with the founder to compare your current vendor against the 12 GDPR points. No pitch, no commitment.

Book a 30-min audit →