Trust & security.

Public transparency page on infrastructure, compliance and GDPR commitments at Orkelia. Updated May 18, 2026.

Stack and hosting

ComponentProviderRegion / certification
DatabaseSupabaseAWS eu-west-3 Paris (HDS-certified via AWS)
Frontend + Edge runtimeVercelFrankfurt / Paris (CDN proxy), code under physiopros-projects
Transactional emailResendEU region, public Resend DPA
LLM agent (long-form)Anthropic Claude Sonnet 4.6Zero retention enabled (no model training)
LLM classification (replies)Anthropic Claude Haiku 4.5Zero retention enabled
PaymentStripePCI-DSS L1, Stripe Climate

GDPR — verifiable commitments

  • EU hosting · data stored exclusively at AWS eu-west-3 Paris (Supabase project ID: ykafzpuxicvgatdluuel)
  • HDS · covered via AWS Paris certification for healthcare workspaces (Orkelia Clinic)
  • DPA provided before signing · EU model contract available on request to dpo@orkelia.com
  • Zero retention LLM · Anthropic does not store or train on your data (Enterprise clause)
  • Pre-LLM anonymization · sensitive patient data (name, SSN, allergies) is pseudonymized before model submission
  • Right of access · full JSON export in <30 days on email request (Art. 15 GDPR)
  • Right of erasure · purge DB + logs + backups in <30 days (Art. 17 GDPR)
  • Audit logs · 12-month retention of admin/super-admin access
  • Breach notification · <72h compliant with Art. 33 GDPR
  • Declared subprocessors · exhaustive list in the DPA (Supabase, Vercel, Resend, Anthropic, Stripe)
  • Total reversibility · DB export in SQL/JSON, complete deletion after defined period
  • TOTP 2FA · enabled on all accounts; SAML SSO available on Group plan

Application security

Authentication

Email + magic link Supabase Auth, optional TOTP 2FA, signed JWT sessions with 7d rotation.

Tenant isolation

PostgreSQL Row-Level Security on all sensitive tables. Automated tenant isolation tests at deployment.

Encryption

TLS 1.3 in transit, AES-256 at rest (Supabase + AWS RDS). Secrets in Vercel encrypted vault, never plaintext in repo.

Anti-spam honeypot

All public forms (audit, partners, custom-agent, clinic-group) include a honeypot field. Bots silently filtered.

Security headers

HSTS, X-Frame-Options, X-Content-Type-Options, strict Permissions-Policy. CSP being hardened (report-only mode).

Dependencies

Automated npm audit at each deploy. Lockfile committed. Critical major upgrades (auth, crypto) manually reviewed.

AI — usage and guardrails

Models used

Orkelia uses two main Anthropic models: Claude Sonnet 4.6 for generation (personalized drafts, agent conversations) and Claude Haiku 4.5 for classification (categorizing inbound replies, identifying intent). No OpenAI/Google model is used in production.

Zero retention

The Anthropic "zero retention" option is enabled by default on all Orkelia LLM calls. Inputs and outputs are neither stored at Anthropic nor used for model training. Contractual commitment via Enterprise clause.

Pre-LLM anonymization (healthcare)

For Orkelia Clinic workspaces, an anonymization pipeline runs before every LLM call: name pseudonymization, SSN masking, severe allergy abstraction to category. The LLM sees a de-identified representation.

Trade guardrails

The agent can never invent a price, an agenda slot, or a practitioner that doesn't exist in the database. Tool-use is explicitly whitelisted (max 9 tools per workspace). Hallucinations blocked by post-generation check.

Independent audit

On May 17, 2026, Orkelia was audited by an independent consultant and obtained 71/100 — score "mature, more advanced than market average at this stage of development". Detailed report available on request to alexandre@orkelia.com.

ISO 27001 certification planned Q3 2026 for Group and Enterprise accounts.

Contacts

GDPR audit of your current stack?

30 min on video with the founder to compare your current vendor against the 12 GDPR points. No pitch, no commitment.

Book a 30-min audit →