Trust & security.
Public transparency page on Orkelia's infrastructure, compliance and GDPR commitments. Last updated May 18, 2026.
Stack and hosting
| Component | Provider | Region / certification |
|---|---|---|
| Database | Supabase | AWS eu-west-3 Paris (infrastructure) |
| Front + Edge runtime | Vercel | Frankfurt / Paris (CDN proxy), code under physiopros-projects |
| Transactional email | Resend | EU region, public Resend DPA |
| LLM agent (long text) | Anthropic Claude Sonnet 4.6 | Zero retention enabled (no model training) |
| LLM classification (replies) | Anthropic Claude Haiku 4.5 | Zero retention enabled |
| Payment | Stripe | PCI-DSS L1, Stripe Climate |
GDPR — verifiable commitments
- European hosting · data stored exclusively on AWS eu-west-3 Paris (Supabase project ID: ykafzpuxicvgatdluuel)
- EU hosting · AWS eu-west-3 (Paris) infrastructure. The Orkelia layer itself is not HDS-certified — and no health data is processed (see DPA).
- DPA provided before signing · EU standard contract on request at dpo@orkelia.com
- Zero retention LLM · Anthropic neither stores nor trains on your data (Enterprise clause)
- Pre-LLM anonymization · sensitive patient data (name, SSN, allergies) is pseudonymized before being sent to the model
- Right of access · full JSON export within <30 days on email request (GDPR Art. 15)
- Right to erasure · DB + logs + backups purge within <30 days (GDPR Art. 17)
- Audit logs · 12-month retention of admin/super-admin access
- Breach notification · <72h in accordance with GDPR Art. 33
- Declared sub-processors · exhaustive list in the DPA (Supabase, Vercel, Resend, Anthropic, Stripe)
- Full reversibility · DB export in SQL/JSON, complete deletion after the contractual period
- TOTP 2FA · enabled on all accounts; SAML SSO available on the Group plan
Application security
Authentication
Email + magic link via Supabase Auth, optional TOTP 2FA, signed JWT sessions with rotation, 7-day expiry.
Tenant isolation
PostgreSQL Row-Level Security on all sensitive tables. Automated tenant-isolation tests on every deploy.
Encryption
TLS 1.3 in transit, AES-256 at rest (Supabase + AWS RDS). Secrets in Vercel's encrypted vault, never in cleartext in the repo.
Anti-spam honeypot
All public forms (audit, partners, agent-sur-mesure, clinique-group) include a honeypot field. Bots filtered silently.
Security headers
HSTS, X-Frame-Options, X-Content-Type-Options, strict Permissions-Policy. CSP being hardened (report-only mode).
Dependencies
Automated npm audit on every deploy. Committed lockfile. Critical major upgrades (auth, crypto) reviewed manually.
AI — usage and guardrails
Models used
Orkelia uses two main Anthropic models: Claude Sonnet 4.6 for generation tasks (writing personalized drafts, agent conversations) and Claude Haiku 4.5 for classification tasks (categorizing incoming replies, identifying intent). No OpenAI/Google model is used in production.
Zero retention
Anthropic's "zero retention" option is enabled by default on all Orkelia LLM calls. Inputs and outputs are neither stored at Anthropic nor used to train the models. Contractual commitment via Enterprise clause.
Pre-LLM anonymization (health)
For Orkelia Clinic workspaces, an anonymization pipeline runs before every LLM call: pseudonymization of patient names, masking of social security numbers, abstraction of severe allergies into a category. The LLM sees a de-identified representation.
Business guardrails
The agent can never invent a price, an agenda slot or a doctor that doesn't exist in the database. Tool-use tools are explicitly whitelisted (max 9 tools per workspace). Hallucinations blocked by a post-generation check.
Human escalation
On sensitive topics (medical emergency, contractual request, complaint) the agent automatically escalates to you (SMS to mobile + dashboard). The agent never makes a medical or contractual decision on its own.
Independent audit
On May 17, 2026, Orkelia was audited by an independent consultant and scored 71/100 — "mature, more advanced than the market average at this stage of development". Detailed report available on request at alexandre@orkelia.com.
An ISO 27001 certification is planned for Q3 2026 for Group and Enterprise accounts.
Contacts
- DPO / GDPR · dpo@orkelia.com — DPA, right of access, erasure
- Security / responsible disclosure · security@orkelia.com — vulnerabilities
- Founder / sales · alexandre@orkelia.com — general questions
GDPR audit of your current stack?
30 min video call with the founder to compare your current vendor against the 12 GDPR points. No pitch, no commitment.
Book a 30-min audit →